1 00:15:01,82 --> 00:15:43,24 You. 2 00:15:43,24 --> 00:15:47,09 The witness is going to take your seats we're waiting for the gentleman from Texas 3 00:15:47,09 --> 00:15:50,18 the ranking member he's expected presently 4 00:15:50,18 --> 00:15:58,98 and as soon as he comes in we'll get started. 5 00:16:01,43 --> 00:16:08,55 She cares. 6 00:16:08,55 --> 00:16:09,07 The 7 00:16:09,07 --> 00:16:29,13 two. 8 00:16:29,13 --> 00:16:32,95 Subcommittee will now come to order I'm pleased to welcome you today to the hearing 9 00:16:32,95 --> 00:16:36,65 before the Subcommittee on Crime Terrorism and Homeland Security on H.R. 10 00:16:36,65 --> 00:16:38,32 Forty one seventy five. 11 00:16:38,32 --> 00:16:41,77 The privacy and cyber crime Enforcement Act of two thousand and seven. 12 00:16:41,77 --> 00:16:46,03 I'd like to thank the chairman of the full committee Mr Conyers for introducing the 13 00:16:46,03 --> 00:16:47,83 bill with bipartisan support. 14 00:16:47,83 --> 00:16:52,67 They bill was introduced by the right by the chairman 15 00:16:52,67 --> 00:16:56,51 and ranking member of the committee and the subcommittee 16 00:16:56,51 --> 00:16:59,67 and I'm pleased to have been working with Mr Conyers 17 00:16:59,67 --> 00:17:04,73 and drafting it to provide effective tools for federal prosecutors and state 18 00:17:04,73 --> 00:17:10,02 and local law enforcement agencies to combat an O.T. Theft and other cyber crimes. 19 00:17:10,02 --> 00:17:14,12 The Act takes several important steps to protect American consumers from the 20 00:17:14,12 --> 00:17:18,27 dangers of an anything after first our bill provides for the victims of identity 21 00:17:18,27 --> 00:17:19,23 theft. 22 00:17:19,23 --> 00:17:23,63 Provide them with the ability to seek restitution in federal court for the loss of 23 00:17:23,63 --> 00:17:26,38 time and money spent restoring their credit. 24 00:17:26,38 --> 00:17:31,09 Under current law restitution to victims is only available to recover the direct 25 00:17:31,09 --> 00:17:35,99 financial cost of identity theft offenses such as recovering funds from authorized 26 00:17:35,99 --> 00:17:38,47 credit credit cards charges. 27 00:17:38,47 --> 00:17:42,70 But many identity theft victims incur other indirect costs such as loss of wages 28 00:17:42,70 --> 00:17:48,52 due to time taken off from work to resolve credit disputes Bill I'm in the present 29 00:17:48,52 --> 00:17:49,45 law to make it clear 30 00:17:49,45 --> 00:17:53,73 that restitution orders may include an amount equal to the value of the victim's 31 00:17:53,73 --> 00:17:59,13 time spent addressing the actual or intended harm. Of the identity theft. 32 00:18:00,00 --> 00:18:03,24 And the bill addresses the urgent need for agencies. 33 00:18:03,24 --> 00:18:05,99 And companies to provide appropriate notification 34 00:18:05,99 --> 00:18:10,88 when they experience major breaches the problems of data breaches remain persistent 35 00:18:10,88 --> 00:18:14,61 and dangerous threat to Americans privacy for example in two thousand 36 00:18:14,61 --> 00:18:16,11 and six there was a disclosure 37 00:18:16,11 --> 00:18:20,41 that a company had suffered a major computer breach involving up to forty five 38 00:18:20,41 --> 00:18:24,04 million credit card credit and debit card records. 39 00:18:24,04 --> 00:18:25,64 The company knew about the breach. 40 00:18:25,64 --> 00:18:28,41 None of its customers were told about it until a month later 41 00:18:28,41 --> 00:18:31,24 and we're all aware of the identity theft. 42 00:18:31,24 --> 00:18:34,05 From twenty six million of our veterans 43 00:18:34,05 --> 00:18:38,37 and active duty personnel from the Department of Veterans Affairs last year. 44 00:18:38,37 --> 00:18:43,08 Although up to thirty nine states have laws pertaining to data breaches there's no 45 00:18:43,08 --> 00:18:46,18 federal standard or regulation to provide notice. 46 00:18:46,18 --> 00:18:49,14 Bill require rapid notice of reaches the F.B.I. 47 00:18:49,14 --> 00:18:53,32 and Secret Service and this notice is critical to the excess will investigation 48 00:18:53,32 --> 00:18:58,83 and prosecution of any criminal activity associated with the breach the F.B.I. 49 00:18:58,83 --> 00:18:59,05 And so 50 00:18:59,05 --> 00:19:02,87 that Secret Service would then publish the list of reported breaches in the federal 51 00:19:02,87 --> 00:19:05,96 register so that the public will be aware of where 52 00:19:05,96 --> 00:19:09,45 and to what extent major data breaches are occurring. 53 00:19:09,45 --> 00:19:13,80 Only the bill makes it a crime punishable by up to five years in prison for 54 00:19:13,80 --> 00:19:18,98 knowingly to fail to report major breaches to the appropriate authorities. 55 00:19:18,98 --> 00:19:22,95 Lastly this bill provides such much needed tools to federal 56 00:19:22,95 --> 00:19:28,15 and state law enforcement agents the bill add section ten thirty two the. 57 00:19:28,15 --> 00:19:32,93 Computer Fraud and Abuse Act. And Section ten thirty. 58 00:19:32,93 --> 00:19:37,34 The computer fraud abuse act to the RICO statute which will provide the Department 59 00:19:37,34 --> 00:19:40,03 of Justice with much with a much needed tool to investigate 60 00:19:40,03 --> 00:19:44,34 and prosecute organized crime syndicates which used to Fisk gaited cyber crime 61 00:19:44,34 --> 00:19:50,36 cyber schemes to commit criminal acts will also also authorize us twenty five 62 00:19:50,36 --> 00:19:53,00 million dollars each of the fiscal years from two thousand 63 00:19:53,00 --> 00:19:53,87 and eight to two thousand 64 00:19:53,87 --> 00:19:59,37 and ten to sever state grant programs so than for some of cyber crimes state 65 00:19:59,37 --> 00:19:59,86 and local law. 66 00:20:00,00 --> 00:20:03,27 Enforcement resources need to be strengthened to attack the low lying 67 00:20:03,27 --> 00:20:07,95 and then of the theft the federal prosecutors failed to go after we heard the last 68 00:20:07,95 --> 00:20:13,63 Congress at a subcommittee hearing about the incident involving Senator Domenici 69 00:20:13,63 --> 00:20:18,86 where some eight hundred dollars in merchandise was charged to a stolen credit card. 70 00:20:18,86 --> 00:20:21,83 We found that the crime was not being prosecuted. 71 00:20:21,83 --> 00:20:24,37 So it seems these are left with the knowledge 72 00:20:24,37 --> 00:20:28,17 that if they don't steal too much they can do so with impunity. 73 00:20:28,17 --> 00:20:32,53 The credit card company will cancel the debt write off the loss and. 74 00:20:32,53 --> 00:20:34,93 There will be no criminal investigation 75 00:20:34,93 --> 00:20:39,16 and so the thieves can keep their bounty of their crimes without worrying about 76 00:20:39,16 --> 00:20:40,74 prosecution. 77 00:20:40,74 --> 00:20:41,00 I believe 78 00:20:41,00 --> 00:20:44,59 that the Secret Service working in partnership with state law enforcement good good 79 00:20:44,59 --> 00:20:48,87 good quickly reverse this expectation that these have in this front. 80 00:20:48,87 --> 00:20:51,78 Forty one seventy five as a comprehensive bill 81 00:20:51,78 --> 00:20:55,27 and not only deals with the need to provide law enforcement. 82 00:20:55,27 --> 00:21:02,17 Notice the law enforcement when innocent. Customer consumers have the data breach. 83 00:21:02,17 --> 00:21:06,85 It is also it also deals with the underlying problems of lack of accountability to 84 00:21:06,85 --> 00:21:10,50 deter crimes from occurring in the first place are privacy 85 00:21:10,50 --> 00:21:14,30 and cyber crimes lag behind both capabilities of our technology 86 00:21:14,30 --> 00:21:19,05 and the sophistication of identity thieves and this legislation will close 87 00:21:19,05 --> 00:21:19,54 that gap 88 00:21:19,54 --> 00:21:24,21 and I'm my pleasure to recognize our new ranking member of the subcommittee the 89 00:21:24,21 --> 00:21:26,99 gentleman from Texas Judge Gomery. 90 00:21:26,99 --> 00:21:31,13 Thank you Chairman Scott thank you to the witnesses. 91 00:21:31,13 --> 00:21:34,99 State to one thirty when it was apparent we were going to be a wild 92 00:21:34,99 --> 00:21:36,17 and ran over the Capitol 93 00:21:36,17 --> 00:21:42,08 but because the hour is so much later I have an opening statement 94 00:21:42,08 --> 00:21:47,31 but I would ask unanimous consent simply dismiss it. For the record. 95 00:21:47,31 --> 00:21:50,22 Let's you all want me to read my opening statement I will 96 00:21:50,22 --> 00:21:56,39 but otherwise will submit that let me just give the last thirty sentences H.R. 97 00:21:56,39 --> 00:21:59,87 Forty one seventy five was introduced by Chairman Conyers writing the. 98 00:22:00,00 --> 00:22:05,55 Smith subcommittee chairman Scott then right. Member. Forbes bipartisan proposal. 99 00:22:05,55 --> 00:22:10,12 I think represents a good first step in tackling the difficult problem the 100 00:22:10,12 --> 00:22:11,78 Democrats absence Abercrombie 101 00:22:11,78 --> 00:22:15,30 and so I will look forward to hearing from the witnesses 102 00:22:15,30 --> 00:22:20,15 and working with my colleagues on this important piece of legislation and with 103 00:22:20,15 --> 00:22:24,21 that. I guess hearing no objection. 104 00:22:24,21 --> 00:22:24,54 Without objection 105 00:22:24,54 --> 00:22:29,01 that statement isn't it in the record thank you is we want to hear from you. 106 00:22:29,01 --> 00:22:34,45 Gentleman from Michigan chairman of the full committee. Thank you. 107 00:22:34,45 --> 00:22:39,29 And as the one that's guilty for holding you up so long. 108 00:22:39,29 --> 00:22:44,59 I will make will not give you my statement. 109 00:22:44,59 --> 00:22:49,03 And put it in the record and add that the privacy. 110 00:22:49,03 --> 00:22:54,22 And cyber crime Enforcement Act is a strong bipartisan measure 111 00:22:54,22 --> 00:22:59,40 that I believe will help combat the growing threat of identity theft 112 00:22:59,40 --> 00:23:05,85 and other cyber crimes this balance bill protects the privacy rights of 113 00:23:05,85 --> 00:23:12,74 consumers the interests of businesses and the legitimate needs of law enforcement. 114 00:23:12,74 --> 00:23:16,76 And I would like to emphasize that. 115 00:23:16,76 --> 00:23:20,86 I look forward to the passage of us cybercrime law 116 00:23:20,86 --> 00:23:27,66 but not at the expense of the substantive issues involved including requiring 117 00:23:27,66 --> 00:23:32,00 much needed notices for security breaches. 118 00:23:32,00 --> 00:23:37,81 I'm aware that the passage of this twenty one sixty eight in the Senate. 119 00:23:37,81 --> 00:23:40,95 But our bill is more comprehensive 120 00:23:40,95 --> 00:23:46,48 and we need to examine it before making hasty decisions 121 00:23:46,48 --> 00:23:49,31 that impact consumers for years to come. 122 00:23:49,31 --> 00:23:52,22 Thank you very much Mr Chairman for your patience 123 00:23:52,22 --> 00:23:57,84 and forbearance Thank thank you Mr Chairman. The gentleman from North Carolina. 124 00:23:57,84 --> 00:24:03,56 That was showing. Our away but least I joined you in Iraq a member 125 00:24:03,56 --> 00:24:06,36 and extending a welcome to our state which Powell. 126 00:24:06,36 --> 00:24:06,86 Thank you 127 00:24:06,86 --> 00:24:10,98 and other members will have the opportunity to include opening statements in the 128 00:24:10,98 --> 00:24:15,03 record at this point I want to thank the witnesses for your patience. 129 00:24:15,03 --> 00:24:18,68 Sometimes because of votes the schedule just goes 130 00:24:18,68 --> 00:24:22,01 and we appreciate your patience in remaining with us. 131 00:24:22,01 --> 00:24:25,13 We have a distinguished panel of witnesses here today. 132 00:24:25,13 --> 00:24:29,16 Help us consider important issues that are before us. The first witnesses. 133 00:24:29,16 --> 00:24:33,43 Andrew Lawrie who is the acting principal deputy assistant attorney general. 134 00:24:33,43 --> 00:24:37,53 And chief of staff for the criminal division at the Department of Justice is 135 00:24:37,53 --> 00:24:39,85 currently serving a detail from the U.S. 136 00:24:39,85 --> 00:24:43,36 Attorney's office from the southern district of Florida where for the past five 137 00:24:43,36 --> 00:24:46,88 years. He served as managing the US managing assistant U.S. 138 00:24:46,88 --> 00:24:49,30 Attorney in the West Palm Beach office. 139 00:24:49,30 --> 00:24:53,17 He served two prior details in the department both as chief of the public integrity 140 00:24:53,17 --> 00:24:59,71 section next witness a special agent in charge of the criminal investigative 141 00:24:59,71 --> 00:25:03,43 investigative division. The United States Secret Service. 142 00:25:03,43 --> 00:25:07,30 He provides guidance in determining the investigative focus of the division which 143 00:25:07,30 --> 00:25:10,75 provides direction to all Secret Service field offices. 144 00:25:10,75 --> 00:25:16,12 Is a twenty year veteran of the Secret Service a native of Columbus Ohio received 145 00:25:16,12 --> 00:25:18,42 his bachelor of arts degree from the University of Maryland 146 00:25:18,42 --> 00:25:22,76 and a master's degree in the field of management from Johns Hopkins University. 147 00:25:22,76 --> 00:25:27,99 Next will be Joe went on the associate director of the division of privacy 148 00:25:27,99 --> 00:25:31,71 and identity protection at the Federal Trade Commission's Bureau of Consumer 149 00:25:31,71 --> 00:25:35,35 Protection Division has a responsibility over consumer privacy 150 00:25:35,35 --> 00:25:39,92 and security issues and then of the theft and credit reporting matters. 151 00:25:39,92 --> 00:25:44,04 Mr Winston is currently serving on the federal government's identity theft task 152 00:25:44,04 --> 00:25:48,02 force which was created by the president in March two thousand and six. 153 00:25:48,02 --> 00:25:49,67 Mr Winston received his undergraduate 154 00:25:49,67 --> 00:25:53,17 and law degrees from the University of Michigan. 155 00:25:53,17 --> 00:25:58,67 Next will be Jamie Knapp executive director of the theft Action Council of Nebraska. 156 00:26:00,00 --> 00:26:00,83 At the council in two thousand 157 00:26:00,83 --> 00:26:06,51 and six she sees me she said she found her she founded the council in two thousand 158 00:26:06,51 --> 00:26:11,30 and six to use her journey as an identity theft victim to help while this council 159 00:26:11,30 --> 00:26:15,57 is a first nonprofit organization dedicated solely to Dennehy theft issues 160 00:26:15,57 --> 00:26:18,19 assisting victims in Nebraska. 161 00:26:18,19 --> 00:26:23,64 She received her bachelor of journalism from the University of Nebraska at Lincoln 162 00:26:23,64 --> 00:26:28,63 next will be Robert Holliman president of the Business Software Alliance with 163 00:26:28,63 --> 00:26:32,23 Solomon as head of the alliance since one thousand nine hundred overseeing 164 00:26:32,23 --> 00:26:36,57 operations in more than eighty five countries is widely known for his work on 165 00:26:36,57 --> 00:26:41,51 policy related issues affecting the technology technology industry including 166 00:26:41,51 --> 00:26:45,92 intellectual property law cyber security international trade 167 00:26:45,92 --> 00:26:47,76 and electronic commerce. 168 00:26:47,76 --> 00:26:52,27 Bachelor of Arts degree in Political Science at Trinity University in Texas. 169 00:26:52,27 --> 00:26:55,91 Doctorate from Louisiana State University Law Center in Baton Rouge 170 00:26:55,91 --> 00:27:02,36 and Lee we have Little League colony associate director of the Electronic Privacy 171 00:27:02,36 --> 00:27:04,31 Information Center in Washington D.C. 172 00:27:04,31 --> 00:27:09,01 She serves as a coordinator for the privacy coalition the privacy coalition has 173 00:27:09,01 --> 00:27:13,05 over forty organizations and affiliates who share a commitment of freedom 174 00:27:13,05 --> 00:27:14,04 and privacy rights. 175 00:27:14,04 --> 00:27:19,23 She's testified before the Department of Homeland Security Department Homeland 176 00:27:19,23 --> 00:27:20,46 Security data privacy 177 00:27:20,46 --> 00:27:24,96 and integrity advisory committee under the domestic surveillance. 178 00:27:24,96 --> 00:27:30,34 Now each of our witnesses written statements will be made part of the record in. 179 00:27:30,34 --> 00:27:32,47 All of the statements in their entirety. 180 00:27:32,47 --> 00:27:36,85 Out as that each witness summarize his or her testimony in five minutes or less 181 00:27:36,85 --> 00:27:40,74 and help you stay within that time there's a timing device on your table 182 00:27:40,74 --> 00:27:47,21 that will start green go to yellow when you have one minute left and then five. 183 00:27:47,21 --> 00:27:50,52 Finally to read when your time has expired. 184 00:27:50,52 --> 00:27:55,10 Will begin with and unfortunately we're expecting a vote any minute now. 185 00:27:55,10 --> 00:27:58,98 So with those bars we can break for a vote and then come right back. 186 00:28:00,00 --> 00:28:03,62 Mr and Mr Laurie. Thank you. Good afternoon. 187 00:28:03,62 --> 00:28:05,66 Chairman Scott ranking member Gohmert 188 00:28:05,66 --> 00:28:10,28 and members of the subcommittee is a pleasure to appear before you today to testify 189 00:28:10,28 --> 00:28:13,86 about the Department of Justice's commitment to combating computer crime 190 00:28:13,86 --> 00:28:14,89 and identity theft 191 00:28:14,89 --> 00:28:18,52 and about the important legislation this subcommittee is considering to address 192 00:28:18,52 --> 00:28:23,61 these threats as information technology increasingly pervades every aspect of our 193 00:28:23,61 --> 00:28:27,03 society the opportunities for criminals to take advantage of it. 194 00:28:27,03 --> 00:28:32,26 Have also increased one result has been the rise of identity theft Department of 195 00:28:32,26 --> 00:28:35,79 Justice is dedicated to aggressively pursuing all forms of cyber crime 196 00:28:35,79 --> 00:28:36,94 and identity theft. 197 00:28:36,94 --> 00:28:42,01 However shortcomings in existing law have at times inhibited its ability to do so. 198 00:28:42,01 --> 00:28:44,50 The privacy and cyber crime Act of two thousand 199 00:28:44,50 --> 00:28:46,72 and seven would address several of the shortcomings 200 00:28:46,72 --> 00:28:50,57 and provide important tools to promote law enforcement efforts. 201 00:28:50,57 --> 00:28:54,68 The Act includes many provisions also recommended in the strategic plan released 202 00:28:54,68 --> 00:28:58,99 earlier this year by the president's identity theft task force the department is 203 00:28:58,99 --> 00:29:00,92 pleased to see the depth of the common ground 204 00:29:00,92 --> 00:29:04,94 that we share on these key issues in particular the department applauds the 205 00:29:04,94 --> 00:29:06,25 amendments in the act that would ensure 206 00:29:06,25 --> 00:29:10,25 that victims receive fair restitution for the time spent to remediate the harm 207 00:29:10,25 --> 00:29:12,75 resulting from identity theft offenses. 208 00:29:12,75 --> 00:29:16,11 Similarly Department supports the provisions of the act 209 00:29:16,11 --> 00:29:19,36 that enhance our ability to prosecute the theft of sensitive information from 210 00:29:19,36 --> 00:29:22,67 computers close loopholes in the cyber extortion statute 211 00:29:22,67 --> 00:29:26,12 and enable us to bring computer crime charges against criminal conspiracies 212 00:29:26,12 --> 00:29:30,42 and organized criminal groups in addition to these many positive aspects the 213 00:29:30,42 --> 00:29:33,52 department would like to provide some suggestions that would strengthen the bill. 214 00:29:33,52 --> 00:29:38,34 First we strongly encourage the committee to consider amending eighteen U.S.C. 215 00:29:38,34 --> 00:29:41,11 Section ten thirty eight five to close a loophole 216 00:29:41,11 --> 00:29:46,31 and appropriately penalize the use of malicious spyware bot nets and key loggers. 217 00:29:46,31 --> 00:29:48,28 Current law criminalizes actions 218 00:29:48,28 --> 00:29:52,22 that cause damage to computers by impairing the integrity or availability of data 219 00:29:52,22 --> 00:29:54,76 or computer systems. 220 00:29:54,76 --> 00:29:58,84 Absent special circumstances however the conduct must cause loss exceeding five 221 00:29:58,84 --> 00:29:59,95 thousand dollars to cause. 222 00:30:00,00 --> 00:30:04,69 To a federal crime many identity thieves obtain personal information by installing 223 00:30:04,69 --> 00:30:07,80 malicious software on numerous individual computers. 224 00:30:07,80 --> 00:30:08,36 Whether 225 00:30:08,36 --> 00:30:12,06 or not the program succeed in stealing information they harm the integrity of the 226 00:30:12,06 --> 00:30:13,15 computer and data. 227 00:30:13,15 --> 00:30:14,70 However it is often difficult 228 00:30:14,70 --> 00:30:18,58 or impossible to measure the loss to each computer owner which approve 229 00:30:18,58 --> 00:30:23,38 that the many small losses together exceed five thousand dollars two amendments 230 00:30:23,38 --> 00:30:27,47 could remedy this situation first Congress could amend Section ten thirty eight 231 00:30:27,47 --> 00:30:30,61 five to make it a misdemeanor offense to damage a protected computer 232 00:30:30,61 --> 00:30:34,46 and cause less than five thousand dollars in loss whether 233 00:30:34,46 --> 00:30:36,21 or not the committee considers that amendment. 234 00:30:36,21 --> 00:30:38,70 We strongly recommend adding a provision to the act 235 00:30:38,70 --> 00:30:42,55 that would make it a federal felony to damage ten or more protected computers. 236 00:30:42,55 --> 00:30:44,48 Regardless of loss. 237 00:30:44,48 --> 00:30:47,60 Let me turn now to section one of two of the bill the provision 238 00:30:47,60 --> 00:30:50,93 that requires victims of major security breaches to provide notice to law 239 00:30:50,93 --> 00:30:54,80 enforcement the bill defines major security breach as a breach 240 00:30:54,80 --> 00:30:57,55 that involves the means of identification pertaining to ten thousand 241 00:30:57,55 --> 00:30:59,45 and more individuals. 242 00:30:59,45 --> 00:31:04,01 This threshold is too high to give the number some context the theft of as few as 243 00:31:04,01 --> 00:31:07,86 one thousand credit card numbers is under the current sentencing guidelines 244 00:31:07,86 --> 00:31:11,45 presumed to involve a minimum loss of five hundred thousand dollars. 245 00:31:11,45 --> 00:31:16,49 We therefore recommend that the threshold for a major security breach be reduced. 246 00:31:16,49 --> 00:31:20,50 The definition should also be amended to include any breach where there may be a 247 00:31:20,50 --> 00:31:21,29 threat to national security 248 00:31:21,29 --> 00:31:25,93 or risk of significant monetary loss without regard to the number of records 249 00:31:25,93 --> 00:31:30,92 affected would also like to mention section one zero six which contains a useful 250 00:31:30,92 --> 00:31:33,35 provision on the forfeiture of the instrumentalities 251 00:31:33,35 --> 00:31:37,89 and proceeds of cybercrime we support the addition of a forfeiture provision we 252 00:31:37,89 --> 00:31:40,71 suggest however that the act explicitly allow for both civil 253 00:31:40,71 --> 00:31:41,77 and criminal forfeiture 254 00:31:41,77 --> 00:31:45,96 and spell out the appropriate procedures language to accomplish these changes 255 00:31:45,96 --> 00:31:49,77 and other technical suggestions to improve the forfeiture procedures is included 256 00:31:49,77 --> 00:31:54,39 with the written testimony of submitted to the subcommittee. In conclusion. 257 00:31:54,39 --> 00:31:56,14 The department would like to emphasize 258 00:31:56,14 --> 00:31:59,35 that law enforcement can continue to fulfill its role in addressing the growing 259 00:31:59,35 --> 00:32:03,17 threat of. Puter crime and identity theft if we have the proper laws 260 00:32:03,17 --> 00:32:06,83 and appropriate resources to privacy and cyber crime Act of two thousand 261 00:32:06,83 --> 00:32:11,03 and seven addresses many of those needs by closing loopholes in existing cybercrime 262 00:32:11,03 --> 00:32:14,12 statutes improving our ability to prosecute criminal groups 263 00:32:14,12 --> 00:32:18,86 and providing much needed resources we believe the act will be an important tool in 264 00:32:18,86 --> 00:32:22,49 the fight against cyber crime. Mr Chairman. This concludes my remarks. 265 00:32:22,49 --> 00:32:25,27 I will be pleased to answer questions from you and other members of the committee. 266 00:32:25,27 --> 00:32:30,76 Thank you Mr Lorry and assume ago. Good afternoon. 267 00:32:30,76 --> 00:32:33,85 Chairman Scott and distinguished members of subcommittee. 268 00:32:33,85 --> 00:32:37,17 I'd like to thank you for the opportunity to address the subcommittee on a subject 269 00:32:37,17 --> 00:32:38,27 of identity crime 270 00:32:38,27 --> 00:32:42,48 and the role of the Secret Service is an investigations by the Secret Service 271 00:32:42,48 --> 00:32:45,80 perhaps the best known for protecting our nation's leaders. 272 00:32:45,80 --> 00:32:48,71 We also investigate a wide array of financial crimes 273 00:32:48,71 --> 00:32:52,71 and work to safeguard our nation's critical financial infrastructure. 274 00:32:52,71 --> 00:32:55,01 With the passage of legislation in one thousand nine hundred four 275 00:32:55,01 --> 00:32:59,07 and one thousand nine hundred six the Secret Service was authorized to investigate 276 00:32:59,07 --> 00:33:00,19 access device fraud 277 00:33:00,19 --> 00:33:03,90 and we were given parallel authority with other law enforcement agencies 278 00:33:03,90 --> 00:33:08,19 and identity crimes and computer fraud cases through our financial 279 00:33:08,19 --> 00:33:09,97 and electronic crime investigations. 280 00:33:09,97 --> 00:33:13,70 The Secret Service has developed particular expertise in the area of identity theft 281 00:33:13,70 --> 00:33:16,04 false identification fraud. 282 00:33:16,04 --> 00:33:20,93 Access device fraud bank fraud and computer fraud in fiscal year two thousand 283 00:33:20,93 --> 00:33:24,95 and seven agents of the Secret Service arrested over four thousand three hundred 284 00:33:24,95 --> 00:33:29,40 suspects for identity theft crimes he suspects are responsible for approximately 285 00:33:29,40 --> 00:33:33,22 six hundred ninety million actual fraud lost to American consumers 286 00:33:33,22 --> 00:33:37,97 and financial institutions the Secret Service has observed a marked increase in 287 00:33:37,97 --> 00:33:38,69 identity theft 288 00:33:38,69 --> 00:33:43,26 and cybercrime criminals continue to seek new methods to compromise victims 289 00:33:43,26 --> 00:33:43,77 personal 290 00:33:43,77 --> 00:33:48,15 and financial information the recent trend observed by law enforcement is the use 291 00:33:48,15 --> 00:33:48,72 of computer 292 00:33:48,72 --> 00:33:53,04 and the Internet to launch cyber attacks targeting citizens financial citizens 293 00:33:53,04 --> 00:33:58,31 and financial institutions cyber criminals have become proficient at stealing 294 00:33:58,31 --> 00:33:59,41 victim's personal information. 295 00:34:00,00 --> 00:34:04,84 The use of phishing e-mails account takeover malicious software hacking attack 296 00:34:04,84 --> 00:34:08,01 and network intrusions result in a data breach. 297 00:34:08,01 --> 00:34:12,78 This stolen information is often sold in bulk quantities to illicit websites on the 298 00:34:12,78 --> 00:34:15,86 Internet. Criminal groups involved in identity theft 299 00:34:15,86 --> 00:34:20,18 and cyber crimes routine the operate in a multicultural stiction environment by 300 00:34:20,18 --> 00:34:21,90 working closely with federal state 301 00:34:21,90 --> 00:34:26,22 and local law enforcement representatives as well as international police agencies. 302 00:34:26,22 --> 00:34:30,25 We're able to provide a comprehensive comprehensive network of intelligence sharing 303 00:34:30,25 --> 00:34:35,80 resource sharing and technical expertise that bridge jurisdictional boundaries. 304 00:34:35,80 --> 00:34:39,70 This partnership approach to law enforcement is vital to our criminal investigative 305 00:34:39,70 --> 00:34:40,20 mission. 306 00:34:40,20 --> 00:34:44,77 The Secret Service has established a national network of financial crimes task 307 00:34:44,77 --> 00:34:49,75 forces and electronic crime task forces and cities across the United States. 308 00:34:49,75 --> 00:34:53,83 These task forces leverage the combined resources of local state 309 00:34:53,83 --> 00:34:58,71 and federal law enforcement partners as well as technical experts from the academic 310 00:34:58,71 --> 00:34:58,72 community 311 00:34:58,72 --> 00:35:04,73 and private industry an organized effort to combat threats to our financial payment 312 00:35:04,73 --> 00:35:08,33 system and critical infrastructure collaboration between law enforcement 313 00:35:08,33 --> 00:35:13,19 and private sector is critical to our preventative approach to identity theft 314 00:35:13,19 --> 00:35:17,41 and cybercrime We also build partners with the academic community to ensure 315 00:35:17,41 --> 00:35:22,15 that law enforcement is on the cutting edge of technology by leveraging research 316 00:35:22,15 --> 00:35:27,82 and development capabilities of teaching institutions in technical colleges the 317 00:35:27,82 --> 00:35:32,14 Secret Service appreciates the subcommittees work to enhance the penalties 318 00:35:32,14 --> 00:35:35,67 and broaden investigative jurisdiction associated with identity theft 319 00:35:35,67 --> 00:35:37,80 and cyber crime. H.R. 320 00:35:37,80 --> 00:35:41,87 Forty one seventy five addresses many of the issues I've discussed today concerning 321 00:35:41,87 --> 00:35:43,78 these offenses H.R. 322 00:35:43,78 --> 00:35:48,46 Forty one seventy five expands the definition of cyber crime requires data brokers 323 00:35:48,46 --> 00:35:51,51 to notify law enforcement authorities of major security breaches 324 00:35:51,51 --> 00:35:55,54 and increases penalties for identity theft and other violations of data privacy 325 00:35:55,54 --> 00:35:59,94 and security. The Secret Service looks forward to working closely with Congress. 326 00:36:00,13 --> 00:36:05,45 As a address identity crime legislation as I've highlighted in my written statement. 327 00:36:05,45 --> 00:36:09,20 The Secret Service has implemented a number of initiatives pertaining to identity 328 00:36:09,20 --> 00:36:09,80 crimes. 329 00:36:09,80 --> 00:36:14,48 We have dedicated enormous resources to increase public awareness provide training 330 00:36:14,48 --> 00:36:15,60 to law enforcement partners 331 00:36:15,60 --> 00:36:20,62 and improve investigative techniques we will continue to aggressively investigate 332 00:36:20,62 --> 00:36:25,45 identity theft offenders to protect consumers the Secret Service is committed to 333 00:36:25,45 --> 00:36:30,21 our mission to safeguard the nation's critical financial infrastructure chairman 334 00:36:30,21 --> 00:36:32,10 Scott This concludes my prepared remarks. 335 00:36:32,10 --> 00:36:35,40 Thank you again for the opportunity to test family have the Secret Service. 336 00:36:35,40 --> 00:36:40,31 Thank you thank you. Mr Ransom. 337 00:36:40,31 --> 00:36:44,72 Thank you Chairman Scott ranking member Gohmert and members of the subcommittee. 338 00:36:44,72 --> 00:36:49,96 I appreciate the opportunity to testify today about these critical issues of 339 00:36:49,96 --> 00:36:50,07 privacy 340 00:36:50,07 --> 00:36:55,10 and identity theft as the Federal Trade Commission's recently issued national 341 00:36:55,10 --> 00:36:59,84 survey shows identity theft continues to afflict millions of Americans every year 342 00:36:59,84 --> 00:37:04,52 with losses in the billions of dollars but beyond these real 343 00:37:04,52 --> 00:37:09,34 and substantial direct costs this crime harms our economic system by threatening 344 00:37:09,34 --> 00:37:12,03 consumer confidence many polls show 345 00:37:12,03 --> 00:37:17,91 that the level of consumer anxiety about identity theft is extremely high the 346 00:37:17,91 --> 00:37:21,52 F.T.C. Plays a lead role in the battle against identity theft. 347 00:37:21,52 --> 00:37:28,19 Through its law enforcement efforts to work on the president cast its extensive 348 00:37:28,19 --> 00:37:29,51 consumer and business education 349 00:37:29,51 --> 00:37:33,95 and its assistance to criminal law enforcement partners. 350 00:37:33,95 --> 00:37:39,09 One way to stop identity theft is to keep sensitive information out of the hands of 351 00:37:39,09 --> 00:37:40,80 thieves by ensuring 352 00:37:40,80 --> 00:37:45,51 that businesses protect the information they collect reports of the latest data 353 00:37:45,51 --> 00:37:47,12 breaches appear almost daily. 354 00:37:47,12 --> 00:37:53,74 And continue to shake Consumer confidence of course not all data breaches 355 00:37:53,74 --> 00:37:59,45 lead to identity but some do causing real damage to affected consumers. 356 00:38:00,00 --> 00:38:05,49 The commission uses its authority under several federal laws to take action against 357 00:38:05,49 --> 00:38:10,60 businesses that fail to reasonably protect sensitive consumer information. 358 00:38:10,60 --> 00:38:12,78 Since two thousand and one the F.T.C. 359 00:38:12,78 --> 00:38:17,84 Has brought fifteen data security cases including our most recent cases announced 360 00:38:17,84 --> 00:38:20,24 this morning against a mortgage company 361 00:38:20,24 --> 00:38:25,19 that through sensitive consumer loan files into publicly accessible dumpsters. 362 00:38:25,19 --> 00:38:30,01 In addition to its enforcement efforts the commission has played a lead role in the 363 00:38:30,01 --> 00:38:34,89 president's identity theft task force a task force strategic plan recommended 364 00:38:34,89 --> 00:38:40,66 thirty one initiatives to reduce the incidence and impact of identity theft. 365 00:38:40,66 --> 00:38:45,58 The recommendations focus on first prevention making it more difficult for 366 00:38:45,58 --> 00:38:47,04 criminals to steal data 367 00:38:47,04 --> 00:38:53,15 or to misuse data they do manage to steal second victim assistance helping 368 00:38:53,15 --> 00:38:54,72 consumers recover from identity theft 369 00:38:54,72 --> 00:38:59,71 and third deterrence strengthening the tools that we have to catch 370 00:38:59,71 --> 00:39:00,89 and punish the criminals. 371 00:39:00,89 --> 00:39:04,16 Most of these thirty one recommendations have been 372 00:39:04,16 --> 00:39:09,46 or are in the process of being implemented with respect to prevention the F.T.C. 373 00:39:09,46 --> 00:39:13,83 Is developed and distributed highly successful business and consumer guidance 374 00:39:13,83 --> 00:39:14,44 and data security 375 00:39:14,44 --> 00:39:20,35 and materials include a very popular data security guide for businesses 376 00:39:20,35 --> 00:39:24,02 which now comes with an online tutorial 377 00:39:24,02 --> 00:39:27,96 and the commission staff will be holding a series of regional data security 378 00:39:27,96 --> 00:39:34,13 seminars across the country beginning next year on the consumer side the commission 379 00:39:34,13 --> 00:39:40,23 launched last year a multimedia campaign titled deter detect defend. 380 00:39:40,23 --> 00:39:44,69 A copy of the package that includes brochures and training camps 381 00:39:44,69 --> 00:39:50,47 and the commission sponsors a multimedia website on guard online which has 382 00:39:50,47 --> 00:39:56,07 information for consumers on basic computer security since its launch this website 383 00:39:56,07 --> 00:39:59,11 has attracted over four point three million visits. 384 00:40:00,00 --> 00:40:04,55 Despite our best efforts to improve data security however there's no foolproof way 385 00:40:04,55 --> 00:40:07,07 to stop all data theft. 386 00:40:07,07 --> 00:40:08,60 For that reason it is critical 387 00:40:08,60 --> 00:40:14,30 that we do whatever we can to make the data less useful for thieves as recommended 388 00:40:14,30 --> 00:40:19,39 by the task force the commission conducted two public workshops this year relating 389 00:40:19,39 --> 00:40:22,11 to the issue of Consumer authentication. 390 00:40:22,11 --> 00:40:25,55 By creating better ways to verify consumers' identities. 391 00:40:25,55 --> 00:40:26,98 When they open new accounts or 392 00:40:26,98 --> 00:40:31,54 when they access existing accounts we can make it more difficult for criminals to 393 00:40:31,54 --> 00:40:36,35 use stolen data regulations recently issued by the F.T.C. 394 00:40:36,35 --> 00:40:41,87 and The federal bank regulatory agencies under the Fact Act provide another tool in 395 00:40:41,87 --> 00:40:46,01 the battle to prevent identity theft these rules require all businesses 396 00:40:46,01 --> 00:40:51,54 that hold consumer account to establish an identity theft prevention program with 397 00:40:51,54 --> 00:40:55,32 regard to Victim Assistance The commission has continued its role as a central 398 00:40:55,32 --> 00:40:59,22 repository for identity theft information between fifteen 399 00:40:59,22 --> 00:41:03,42 and twenty thousand consumers contact us each week for information 400 00:41:03,42 --> 00:41:07,93 and how to guard against identity theft or to obtain help in recovering from it. 401 00:41:07,93 --> 00:41:13,38 Consumers who contact us receive step by step advice at the same time the 402 00:41:13,38 --> 00:41:17,13 information these consumers give us is six entered into our clearinghouse 403 00:41:17,13 --> 00:41:22,05 and is made available to over seven hundred law enforcement agencies for use in law 404 00:41:22,05 --> 00:41:22,71 enforcement. 405 00:41:22,71 --> 00:41:26,82 We are also partnering with other agencies provide training for local law 406 00:41:26,82 --> 00:41:29,77 enforcement across the country and we have developed 407 00:41:29,77 --> 00:41:32,59 and posted a universal police report 408 00:41:32,59 --> 00:41:36,07 that identity theft victims can complete online print 409 00:41:36,07 --> 00:41:40,89 and take to law enforcement for verification with this report victims have access 410 00:41:40,89 --> 00:41:44,69 to a number of rights including the right to place a seven year fraud alert on 411 00:41:44,69 --> 00:41:49,31 their file to summarize identity theft is one of the most important consumer 412 00:41:49,31 --> 00:41:50,60 protection issues of our time 413 00:41:50,60 --> 00:41:54,81 and must be attacked from every angle the commission will continue to place a high 414 00:41:54,81 --> 00:41:58,31 priority on preventing this crime and helping victims to recover. 415 00:41:58,31 --> 00:42:02,39 We look forward to. To continue to work with us in this effort. 416 00:42:02,39 --> 00:42:06,73 I'd be happy to answer any questions you may. Queue. 417 00:42:06,73 --> 00:42:10,80 We have about ten minutes before we have to be on the floor. 418 00:42:10,80 --> 00:42:13,59 So we'll take your testimony and then we'll come back soon as we can. 419 00:42:13,59 --> 00:42:18,88 MS No. 420 00:42:18,88 --> 00:42:22,46 Thank you Chairman Scott and members of the subcommittee. 421 00:42:22,46 --> 00:42:26,45 Thank you for this opportunity to share my story today and for your leadership 422 00:42:26,45 --> 00:42:28,47 and interest in this issue. 423 00:42:28,47 --> 00:42:30,40 My name is Jamie Knapp 424 00:42:30,40 --> 00:42:35,28 and I'm the executive director of the identity theft Action Council of Nebraska a 425 00:42:35,28 --> 00:42:39,23 proud mother of a seven year old and I'm also an identity theft victim. 426 00:42:39,23 --> 00:42:42,14 Today I will speak about my own personal experience 427 00:42:42,14 --> 00:42:46,64 and offer support for the privacy and cybercrime Enforcement Act of two thousand 428 00:42:46,64 --> 00:42:50,97 and seven. But also will provide some additional suggestions on what can be done. 429 00:42:50,97 --> 00:42:57,48 I have regrets in my life and one of them was taking a particular part time job 430 00:42:57,48 --> 00:43:02,22 and handing over my social security number to my employer in May two thousand 431 00:43:02,22 --> 00:43:03,24 and five. 432 00:43:03,24 --> 00:43:06,79 My personal information including my name birth date 433 00:43:06,79 --> 00:43:12,12 and social security number were stolen and used to apply for four credit cards. 434 00:43:12,12 --> 00:43:16,51 The perpetrator turned out to be a manager at my former employer who stole my 435 00:43:16,51 --> 00:43:19,34 information from employer records. 436 00:43:19,34 --> 00:43:21,58 She was arrested in October two thousand and five 437 00:43:21,58 --> 00:43:26,88 and charged with criminal impersonation a felony for stealing my identity. 438 00:43:26,88 --> 00:43:31,39 She served five months in county jail. Only because she couldn't make mail. 439 00:43:31,39 --> 00:43:35,01 And then she was ordered to go to undergo drug treatment for methamphetamine 440 00:43:35,01 --> 00:43:36,61 addiction. 441 00:43:36,61 --> 00:43:40,25 My perpetrator pleaded guilty on the felony charge in October two thousand 442 00:43:40,25 --> 00:43:41,07 and seven 443 00:43:41,07 --> 00:43:46,02 and was ordered to drug court which is a program for nonviolent offenders with 444 00:43:46,02 --> 00:43:47,21 substance abuse problems 445 00:43:47,21 --> 00:43:52,85 and drug court than you at drug court graduation in January two thousand 446 00:43:52,85 --> 00:43:57,42 and eight a total of four felonies will be wiped clean from her criminal record 447 00:43:57,42 --> 00:44:03,18 like they never existed after. Only a year and a half of drug treatment. 448 00:44:03,18 --> 00:44:08,86 I've lost more than a nine digit number from a piece of paper. 449 00:44:08,86 --> 00:44:13,88 This number happens to be the key to my financial past present and future. 450 00:44:13,88 --> 00:44:18,12 Even though no one assigns monetary value to a social security number. 451 00:44:18,12 --> 00:44:22,85 When I became a victim of identity theft I was not prepared for the overwhelming 452 00:44:22,85 --> 00:44:25,57 feeling of helplessness. 453 00:44:25,57 --> 00:44:28,13 And I was stunned at how quickly destruction came 454 00:44:28,13 --> 00:44:32,89 and how easy it was for my perpetrator to open up credit cards. 455 00:44:32,89 --> 00:44:38,15 What I experience was a deep sense of loss including the sense of who I am my 456 00:44:38,15 --> 00:44:40,65 entire core belief system. 457 00:44:40,65 --> 00:44:46,33 Friends who didn't understand what I was going through in a sense of safety. 458 00:44:46,33 --> 00:44:50,24 So worry and uncertainty caused me to change my physical appearance 459 00:44:50,24 --> 00:44:54,30 and intensely watch for strange people or cars following me. 460 00:44:54,30 --> 00:44:57,24 In April two thousand 461 00:44:57,24 --> 00:45:02,16 and six the trauma started to affect my press professional life while working for a 462 00:45:02,16 --> 00:45:06,35 different employer because the original stuff happened in the workplace. 463 00:45:06,35 --> 00:45:08,13 I started to become very uncomfortable 464 00:45:08,13 --> 00:45:11,99 and wasn't able to function at a normal level with my coworkers. 465 00:45:11,99 --> 00:45:17,45 Nor did I feel like I could trust management on my employer. 466 00:45:17,45 --> 00:45:21,41 Shortly thereafter the stress became too much to hide or control. 467 00:45:21,41 --> 00:45:24,39 It started showing itself physically through my inability to sleep 468 00:45:24,39 --> 00:45:30,34 and increased paranoia cloudy vision and forgetfulness in May two thousand 469 00:45:30,34 --> 00:45:32,17 and six I thought counselling 470 00:45:32,17 --> 00:45:36,13 and was officially diagnosed with post-traumatic stress disorder. 471 00:45:36,13 --> 00:45:39,21 I'm not a vote a victim of a violent physical crime 472 00:45:39,21 --> 00:45:43,10 but I certainly feel like someone who is. 473 00:45:43,10 --> 00:45:46,67 My reality is that I will never be in total control over how or 474 00:45:46,67 --> 00:45:50,28 when my social security number will be used for the rest of my life. 475 00:45:50,28 --> 00:45:53,52 I must always have my guard up. 476 00:45:53,52 --> 00:45:57,03 My story does not end with heartache it actually ends with hope. 477 00:45:57,03 --> 00:45:59,79 I had a choice to make I can either forget. 478 00:46:00,00 --> 00:46:04,48 Let this crime ruin my life or create change in the choice was easy. 479 00:46:04,48 --> 00:46:07,96 I founded a nonprofit organization in two thousand 480 00:46:07,96 --> 00:46:10,90 and six called the identity theft Action Council of Nebraska 481 00:46:10,90 --> 00:46:14,93 and we educate consumers about identity theft 482 00:46:14,93 --> 00:46:19,21 and provide victim resources. 483 00:46:19,21 --> 00:46:20,90 I support tougher penalties 484 00:46:20,90 --> 00:46:24,47 and greater victim restitution including It included in this bill 485 00:46:24,47 --> 00:46:28,52 but it would also like to offer a few suggestions criminal penalties 486 00:46:28,52 --> 00:46:32,96 and tools for law enforcement is only part of the solution to more fully address 487 00:46:32,96 --> 00:46:36,52 the problem. Congress should require mandatory notification 488 00:46:36,52 --> 00:46:38,79 when sensitive personal information is breached 489 00:46:38,79 --> 00:46:42,69 and require mandatory data security requirements for business and government 490 00:46:42,69 --> 00:46:49,85 and also provide consumers with affordable easy to use security freeze writes. 491 00:46:49,85 --> 00:46:54,79 This is the first time I've spoken publicly about the depth of my pain with this 492 00:46:54,79 --> 00:46:56,47 crime and I thank you for this opportunity 493 00:46:56,47 --> 00:47:02,71 but my story only really only represents one person out of the millions of 494 00:47:02,71 --> 00:47:04,72 Americans who become victims each year. 495 00:47:04,72 --> 00:47:09,28 I'd like to thank you again for this opportunity 496 00:47:09,28 --> 00:47:11,86 and I'd have be happy to answer any questions. 497 00:47:11,86 --> 00:47:16,36 Thank you Ms Knapp for your very moving testimony. We will. 498 00:47:16,36 --> 00:47:18,45 Vote the three votes pending 499 00:47:18,45 --> 00:47:27,76 and we'll be back as soon as we can Obama be about fifteen minutes. 500 01:22:04,09 --> 01:22:11,06 The committee will come to order the gentleman from California has approved the 501 01:22:11,06 --> 01:22:14,36 starting off without the ranking member. 502 01:22:14,36 --> 01:22:18,28 So the ranking member comes they can blame it on the gentleman from California. 503 01:22:18,28 --> 01:22:21,48 Thank you Mr Holman. 504 01:22:21,48 --> 01:22:26,77 Mr Chairman Mr longer Mr Coble Merz of the subcommittee I want to thank you for the 505 01:22:26,77 --> 01:22:29,29 opportunity to testified today. 506 01:22:29,29 --> 01:22:35,07 There is an urgent need to update our federal criminal laws 507 01:22:35,07 --> 01:22:39,52 and law enforcement needs new tools to find 508 01:22:39,52 --> 01:22:42,13 and prosecute cyber criminals. 509 01:22:42,13 --> 01:22:46,96 Why does the Business Software Alliance care about this issue. Several reasons. 510 01:22:46,96 --> 01:22:50,01 First it hurts our member companies businesses. 511 01:22:50,01 --> 01:22:54,50 Secondly it hurts the development of electronic commerce 512 01:22:54,50 --> 01:22:58,97 and third because it hurts the economy as a whole. 513 01:22:58,97 --> 01:23:01,87 I want to thank you Mr Chairman. 514 01:23:01,87 --> 01:23:05,84 For calling this hearing and for the leadership you have shown 515 01:23:05,84 --> 01:23:08,94 and sponsoring the pending legislation H.R. 516 01:23:08,94 --> 01:23:12,90 Forty one seventy five also to Congress commend Congressman Schiff 517 01:23:12,90 --> 01:23:18,30 and shot Mr longer than others for your leadership in energy introducing H.R. 518 01:23:18,30 --> 01:23:20,61 Twenty two no any earlier this year. 519 01:23:20,61 --> 01:23:24,79 Today's hearing could not come at a better time. 520 01:23:24,79 --> 01:23:26,96 We're in the midst of the holiday series season 521 01:23:26,96 --> 01:23:33,29 and Americans will spend nearly thirty billion dollars in online shopping activity. 522 01:23:33,29 --> 01:23:37,01 They'll be able to shop at thousands of sites compare products services 523 01:23:37,01 --> 01:23:38,90 and get prices 524 01:23:38,90 --> 01:23:45,40 that would have been on available just a few years ago because of the issues 525 01:23:45,40 --> 01:23:47,49 of geography and comparative shopping 526 01:23:47,49 --> 01:23:51,55 that are brought about by the Internet at the same time we know. 527 01:23:51,55 --> 01:23:52,57 Studies show 528 01:23:52,57 --> 01:23:57,11 that many individuals are concerned about their safety about doing business online. 529 01:23:57,11 --> 01:23:59,82 What the risk of criminals are who may be. 530 01:24:00,00 --> 01:24:04,14 Lurking in cyberspace who want to steal their identity. 531 01:24:04,14 --> 01:24:10,93 Their financial records or more. Unfortunately these concerns are fully justified. 532 01:24:10,93 --> 01:24:16,45 The reality is that we use our computers at home in the office in ways today 533 01:24:16,45 --> 01:24:22,10 that were on imaginable the last time there were major revisions in the federal 534 01:24:22,10 --> 01:24:26,05 criminal laws. This is led to a change in the nature of cyber crime 535 01:24:26,05 --> 01:24:31,47 and it's changed the type of criminals. Too big changes have occurred in computing. 536 01:24:31,47 --> 01:24:35,59 First is the sheer growth in the number of people using computers. 537 01:24:35,59 --> 01:24:40,71 The second is the fact that computers are now almost always on 538 01:24:40,71 --> 01:24:42,38 and connected to the Internet. 539 01:24:42,38 --> 01:24:46,38 This is given criminals the opportunity to create malicious code 540 01:24:46,38 --> 01:24:51,86 that can be sent out surreptitiously and can compromise thousands 541 01:24:51,86 --> 01:24:54,49 or hundreds of thousands of computers. 542 01:24:54,49 --> 01:24:57,22 This results in the creation of zombie computers 543 01:24:57,22 --> 01:25:02,69 that the kernel can then remotely control to carry out this hacks the zombies may 544 01:25:02,69 --> 01:25:05,23 not themselves suffer a monetary damage 545 01:25:05,23 --> 01:25:09,04 but they may become part of an unwitting accomplices 546 01:25:09,04 --> 01:25:13,13 and attacking other victims of final two crimes or identity theft 547 01:25:13,13 --> 01:25:14,94 or denial of service. 548 01:25:14,94 --> 01:25:19,15 We also see that cyber crime today is overwhelmingly fueled by profit. 549 01:25:19,15 --> 01:25:22,68 Criminals used to write malicious code for the bragging rights. 550 01:25:22,68 --> 01:25:28,36 Today they do it for the money and that is a change. What can Congress do about it. 551 01:25:28,36 --> 01:25:29,52 We believe 552 01:25:29,52 --> 01:25:33,46 that there is an urgent need to update our criminal laws to get law enforcement 553 01:25:33,46 --> 01:25:37,80 tools they need to a check the changing nature of the threat threat 554 01:25:37,80 --> 01:25:42,33 and the change in crime. We would suggest doing this in five ways. 555 01:25:42,33 --> 01:25:45,41 First target pop nets in ways 556 01:25:45,41 --> 01:25:50,45 that have been identified this morning by criminalizing cyber attacks on ten 557 01:25:50,45 --> 01:25:53,85 or more computers even if they don't suffer five thousand work. 558 01:25:53,85 --> 01:25:59,37 Dollars where the damage is to address new forms of cyber extortion three. 559 01:26:00,00 --> 01:26:04,42 In the coverage of cyber crime laws to conclude computers affecting interstate 560 01:26:04,42 --> 01:26:07,79 commerce fourth attack. 561 01:26:07,79 --> 01:26:13,59 Organized cybercrime by creating an explicit conspiracy to commit cyber crime as an 562 01:26:13,59 --> 01:26:14,02 offense 563 01:26:14,02 --> 01:26:18,41 and fifth strengthen penalties by calling for the forfeiture of computers 564 01:26:18,41 --> 01:26:21,15 and other equipment that are used to conduct crime 565 01:26:21,15 --> 01:26:24,44 and by adopting tougher sentencing guidelines. 566 01:26:24,44 --> 01:26:27,73 Fortunately there is broad congressional law enforcement 567 01:26:27,73 --> 01:26:30,41 and industry support for such legislation. 568 01:26:30,41 --> 01:26:34,25 There are a number of pending bills including two twenty two ninety 569 01:26:34,25 --> 01:26:35,58 that address these issues. 570 01:26:35,58 --> 01:26:39,81 Last month the Senate as adopted as twenty one sixty eight 571 01:26:39,81 --> 01:26:42,25 and finally Mr Chairman your bill does 572 01:26:42,25 --> 01:26:46,53 that with the exception of the provision to target those which we hope will be 573 01:26:46,53 --> 01:26:50,49 added to any final measure. Of course H.R. 574 01:26:50,49 --> 01:26:55,03 Forty one seventy five has many other provisions including data breach notification 575 01:26:55,03 --> 01:26:56,70 and privacy B.S.A. 576 01:26:56,70 --> 01:27:01,99 Understands the seriousness of the problem data breaches represent we are committed 577 01:27:01,99 --> 01:27:03,69 to working with this committee 578 01:27:03,69 --> 01:27:08,55 and what the six other committees who have jurisdiction over this legislation in 579 01:27:08,55 --> 01:27:12,80 data breach to develop a hot copperheads is federal legislation. 580 01:27:12,80 --> 01:27:16,29 But we are very concerned that the inclusion of data preacher privacy 581 01:27:16,29 --> 01:27:20,52 and cyber crime legislation will to lay or prevent an act 582 01:27:20,52 --> 01:27:23,22 and conclusion we are eager to work with this committee. 583 01:27:23,22 --> 01:27:27,24 We believe the time is now and we encourage moving forward in addressing 584 01:27:27,24 --> 01:27:32,18 and closing the loopholes that exist under today cybercrime laws Thank you. 585 01:27:32,18 --> 01:27:39,33 Thank you very much Mr Holman in this county. 586 01:27:39,33 --> 01:27:44,25 Thank you Chairman got ranking member of the Omar 587 01:27:44,25 --> 01:27:49,06 and members of the subcommittee for this opportunity to testify on the bill H.R. 588 01:27:49,06 --> 01:27:55,09 Forty one seventy five that privacy and cybercrime and Forstmann and. 589 01:27:55,09 --> 01:27:59,92 My name is Lily honey I'm associate director at the Electronic Privacy and for. 590 01:28:00,00 --> 01:28:05,43 Mission Center EPIC is a nonprofit Policy Research Center based in Washington D.C. 591 01:28:05,43 --> 01:28:10,68 We focus on privacy civil liberties and constitutional values. 592 01:28:10,68 --> 01:28:16,25 With meet this afternoon is Jonathan David a student at Northeastern law school who 593 01:28:16,25 --> 01:28:19,01 assisted with the preparation of our statement. 594 01:28:19,01 --> 01:28:21,30 Thanks go to the sponsors of the bill. 595 01:28:21,30 --> 01:28:27,10 To a great degree the lack of transparency on data breaches computer system 596 01:28:27,10 --> 01:28:28,43 breaches anomalies 597 01:28:28,43 --> 01:28:33,99 and software failures inhibits the ability of the government to proactively address 598 01:28:33,99 --> 01:28:38,54 computer network vulnerabilities and enforce privacy laws. 599 01:28:38,54 --> 01:28:44,24 The oath saying that what you don't know won't hurt you. Has rarely held true. 600 01:28:44,24 --> 01:28:47,58 And when it relates to data breaches it is never true. 601 01:28:47,58 --> 01:28:52,09 According to the Federal Trade Commission for the seventh year in a row a Dennehy 602 01:28:52,09 --> 01:28:55,63 death is the number one concern of American consumers. 603 01:28:55,63 --> 01:28:57,91 We also know that two hundred 604 01:28:57,91 --> 01:29:04,16 and sixteen million Americans have had their data breaches impact them. 605 01:29:04,16 --> 01:29:09,66 The failings of private actors to manage the Personally Adana flyable information 606 01:29:09,66 --> 01:29:15,37 entrusted to their care justify the passage of H.R. Forty one seventy five. 607 01:29:15,37 --> 01:29:20,33 Further a report from the summit Samuelson clinic confirms 608 01:29:20,33 --> 01:29:22,37 that the private sector is willing 609 01:29:22,37 --> 01:29:28,35 and able to act in putting in place security measures to protect computer networks 610 01:29:28,35 --> 01:29:32,74 that housed personally identifiable information when that data breach. 611 01:29:32,74 --> 01:29:38,93 When data breaches require. Under-staffed statue notification to consumers. 612 01:29:38,93 --> 01:29:44,54 We appreciate that this bill will do what the Privacy Act should have done. 613 01:29:44,54 --> 01:29:49,52 Include private data networks under the comments to protect personally identifiable 614 01:29:49,52 --> 01:29:50,95 information. 615 01:29:50,95 --> 01:29:55,04 This is a key component for privacy protection afford it buy in from fair 616 01:29:55,04 --> 01:29:59,94 information practices that are outlined in the privacy act. The provision. 617 01:30:00,00 --> 01:30:02,09 As of the bill do not preempt state law 618 01:30:02,09 --> 01:30:06,10 but rather create an important federal baseline. 619 01:30:06,10 --> 01:30:11,45 As we have learned the states can respond more quickly than federal government than 620 01:30:11,45 --> 01:30:15,69 the federal government can to emerging privacy challenges. 621 01:30:15,69 --> 01:30:16,90 And it is very important 622 01:30:16,90 --> 01:30:22,52 that the federal government not limit the important work of the states in this area. 623 01:30:22,52 --> 01:30:27,29 The bill creates a great start on defining personally identifiable information 624 01:30:27,29 --> 01:30:29,85 but more needs to be done. 625 01:30:29,85 --> 01:30:34,52 We are now seeing a tremendous increase in the collection of personal information 626 01:30:34,52 --> 01:30:39,11 in the form of biometrics. Behavioral targeting. 627 01:30:39,11 --> 01:30:44,03 Associational information which is completely unregulated. 628 01:30:44,03 --> 01:30:46,79 The challenge for the committee is to create a definition 629 01:30:46,79 --> 01:30:52,98 that recognizes the ever evolving risk data collection poses to privacy. 630 01:30:52,98 --> 01:30:57,28 Epic indorse is the bill language that requires technology protection measures 631 01:30:57,28 --> 01:31:01,11 that render the data elements indecipherable we note 632 01:31:01,11 --> 01:31:04,72 that significant data breaches have occurred because of poor security practices 633 01:31:04,72 --> 01:31:10,40 or circumvention of security measures such as remove all of large quantities of 634 01:31:10,40 --> 01:31:15,38 data records from from office locations on personal portable computer devices 635 01:31:15,38 --> 01:31:18,88 that were subsequently lost or stolen. 636 01:31:18,88 --> 01:31:24,52 Regarding the promulgating of the final privacy impact assessments electronic 637 01:31:24,52 --> 01:31:26,80 records are inclusive things. 638 01:31:26,80 --> 01:31:32,84 It may be very difficult to enforce the intent of the provisions of this statute. 639 01:31:32,84 --> 01:31:34,21 For example. 640 01:31:34,21 --> 01:31:38,99 Epic recently discovered in the midst of our involvement in an agency proceeding 641 01:31:38,99 --> 01:31:43,56 before the Federal Trade Commission regarding the proposed merger merger of Google 642 01:31:43,56 --> 01:31:45,98 and doubleclick that the chair of the F.T.C. 643 01:31:45,98 --> 01:31:52,11 Spouse spouses law firm Jones Day represents one of the parties to the merger. 644 01:31:52,11 --> 01:31:56,53 Upon our making a complaint requesting the recusal of the chair from participation 645 01:31:56,53 --> 01:31:59,93 in the commission's decision making role on the merger requests. 646 01:32:00,00 --> 01:32:05,68 The electronic document disappeared from the Jones Day website this phenomenon of 647 01:32:05,68 --> 01:32:10,05 the disappearing electronic document is not limited to non-government Internet 648 01:32:10,05 --> 01:32:11,84 communications. 649 01:32:11,84 --> 01:32:16,34 It has also been an epic and actions taken by federal government agencies 650 01:32:16,34 --> 01:32:19,73 when publishing documents online. 651 01:32:19,73 --> 01:32:23,55 In closing I would like to thank the subcommittee for this opportunity to speak on 652 01:32:23,55 --> 01:32:25,27 the record regarding these are important measures 653 01:32:25,27 --> 01:32:28,06 that Forth in H R forty one seventy five 654 01:32:28,06 --> 01:32:32,04 and strongly endorsed the efforts to address the issue of data breaches involving 655 01:32:32,04 --> 01:32:36,22 personally identifiable information and efforts of this finances of the D.L. 656 01:32:36,22 --> 01:32:40,73 and The subcommittee to make it more transparent the rule making process related to 657 01:32:40,73 --> 01:32:43,24 privacy impact assessments. Thank you. 658 01:32:43,24 --> 01:32:47,53 Thank you very much for scone and I will now have questions from the members 659 01:32:47,53 --> 01:32:50,48 and I recognize myself for five minutes at this time. 660 01:32:50,48 --> 01:32:54,70 Mr Laurean misread the identity theft penalty 661 01:32:54,70 --> 01:32:57,47 and has been acting included ten million dollars. 662 01:32:57,47 --> 01:33:01,12 Authorized to track down identity thieves. 663 01:33:01,12 --> 01:33:06,53 What have you done with the money. 664 01:33:06,53 --> 01:33:12,40 We have been actively pursuing identity theft cases. 665 01:33:12,40 --> 01:33:14,02 Around the country. 666 01:33:14,02 --> 01:33:16,88 Chairman Scott in the last between zero five 667 01:33:16,88 --> 01:33:21,52 and zero six identity theft cases alone increased about twenty two 668 01:33:21,52 --> 01:33:26,72 or twenty three percent from fifteen hundred and change to nine hundred and change. 669 01:33:26,72 --> 01:33:32,08 Many of those were under the aggravated identity fraud statute those numbers 670 01:33:32,08 --> 01:33:36,76 increased from two hundred twenty six in zero five to five hundred seven in zero 671 01:33:36,76 --> 01:33:40,57 six. In addition there are the Secret Service and the F.B.I. 672 01:33:40,57 --> 01:33:43,92 Have been establishing task forces all over the country. 673 01:33:43,92 --> 01:33:48,37 Joining together with their federal colleagues as well as local law enforcement 674 01:33:48,37 --> 01:33:52,55 and state law enforcement to attack identity crime at a local level 675 01:33:52,55 --> 01:33:58,62 and to ensure that as few of these cases as possible slip through the cracks. 676 01:33:58,62 --> 01:34:05,57 So use you. Putting the ten million to good use. Yes Did you run out of money. 677 01:34:05,57 --> 01:34:08,52 I don't know run out of money but I can get back to you on. 678 01:34:08,52 --> 01:34:14,48 Well if you're tracking down cases with the money do you have enough. 679 01:34:14,48 --> 01:34:18,30 The original in the bill. One of the bills. 680 01:34:18,30 --> 01:34:24,34 That ten million dollars came out of the original bill had one hundred million 681 01:34:24,34 --> 01:34:30,52 and we were told by administration they didn't need any money so 682 01:34:30,52 --> 01:34:35,73 we just left a ten minute. Ten million we got left. 683 01:34:35,73 --> 01:34:40,89 It seems to me that we ought to be a high priority and I think the committee. 684 01:34:40,89 --> 01:34:42,89 Maybe I can speak for the committee 685 01:34:42,89 --> 01:34:45,44 but I'd be willing to put some more authority so 686 01:34:45,44 --> 01:34:48,88 that you could track down what these people would get the idea 687 01:34:48,88 --> 01:34:50,42 that they might get caught. 688 01:34:50,42 --> 01:34:54,02 Have you used up all of the ten million so 689 01:34:54,02 --> 01:34:58,52 that we might consider increasing the authorization. I can't. 690 01:34:58,52 --> 01:35:02,27 As I said I can't tell you whether or not we've used up all the ten million 691 01:35:02,27 --> 01:35:05,04 and I'd be happy to work with the committee and get back to you on that. 692 01:35:05,04 --> 01:35:11,42 OK Now part of the. If you have limited funds you have to make decisions. 693 01:35:11,42 --> 01:35:15,65 The five thousand dollars threshold anybody stealing less than five thousand pretty 694 01:35:15,65 --> 01:35:18,79 much home free. What would it take. 695 01:35:18,79 --> 01:35:26,65 How much would it take to get cases under five thousand also on your target list. 696 01:35:26,65 --> 01:35:30,53 I can't tell you how much it would take. 697 01:35:30,53 --> 01:35:35,69 With respect to money if that's your question for prosecution offices the U.S. 698 01:35:35,69 --> 01:35:39,02 Attorney's offices around the country to lower their thresholds 699 01:35:39,02 --> 01:35:43,21 or if the department would support that I can tell you 700 01:35:43,21 --> 01:35:44,55 that we have used the money 701 01:35:44,55 --> 01:35:50,90 that we have had to create these regional task forces to work together 702 01:35:50,90 --> 01:35:55,63 closely with the state prosecutor's offices and state law enforcement 703 01:35:55,63 --> 01:35:59,72 and to train them in the investigation and prosecution of these sorts of crimes. 704 01:36:00,00 --> 01:36:03,67 And it's the problem with these cases is they are in fact labor intensive because 705 01:36:03,67 --> 01:36:08,17 there's a lot of work that needs to be done and the information is there 706 01:36:08,17 --> 01:36:10,76 but some of it might include when you find out 707 01:36:10,76 --> 01:36:14,63 that somebody with a stolen credit card has ordered something delivered to a post 708 01:36:14,63 --> 01:36:15,54 office box. 709 01:36:15,54 --> 01:36:19,20 You may have to have somebody sit out there until they come to pick it up 710 01:36:19,20 --> 01:36:25,95 and that's you got to pay for that. I mean it's just an hourly rate. So that. 711 01:36:25,95 --> 01:36:30,90 Most and many of these cases can be solved if we just had the resources. 712 01:36:30,90 --> 01:36:35,48 And so we'll work together to find out what resources you may need to lower the 713 01:36:35,48 --> 01:36:40,94 threshold as somebody gets the information they may feel they have they're at risk 714 01:36:40,94 --> 01:36:45,90 of actually getting caught. Now. 715 01:36:45,90 --> 01:36:52,86 Is if if a database is breached is mere possession of the 716 01:36:52,86 --> 01:36:59,48 database across it. 717 01:36:59,48 --> 01:37:05,04 It depends if it's knowing if if a database is breached 718 01:37:05,04 --> 01:37:11,44 and somebody extracts the information then yes if it's not authorized it was an 719 01:37:11,44 --> 01:37:15,74 authorized extraction it is a crime is buying a social security number from some 720 01:37:15,74 --> 01:37:20,26 somebody a crime before you actually without using it. 721 01:37:20,26 --> 01:37:22,85 I. 722 01:37:22,85 --> 01:37:24,36 I don't have the statutes in front of me 723 01:37:24,36 --> 01:37:28,73 but I believe under Title forty four the Social Security statute that 724 01:37:28,73 --> 01:37:29,90 that possession. 725 01:37:29,90 --> 01:37:34,19 If it's with intent to commit fraud would be a crime but mere possession. 726 01:37:34,19 --> 01:37:37,26 If you buy a cell Security number and that's all. 727 01:37:37,26 --> 01:37:39,57 All you've got you don't know what they were going to do with it. 728 01:37:39,57 --> 01:37:43,69 Well it's fairly easy to prove 729 01:37:43,69 --> 01:37:47,27 that somebody who buys somebody else's Social Security number if it's not their own 730 01:37:47,27 --> 01:37:50,48 intends to commit fraud with it but the answer to your question is yes. 731 01:37:50,48 --> 01:37:51,89 If you could not prove that element. 732 01:37:51,89 --> 01:37:52,71 I believe that 733 01:37:52,71 --> 01:37:57,26 that would mean you would not be able to satisfy the statute is fishing a crime. 734 01:38:00,46 --> 01:38:07,43 Fishing fishing is a crime if it violates one of the statutes set 735 01:38:07,43 --> 01:38:09,71 forth in intent thirty. 736 01:38:09,71 --> 01:38:15,92 The elements do need to make it clear that fishing is in fact a crime. 737 01:38:15,92 --> 01:38:20,76 No Germans got I don't think it's necessary to necessarily change the language of 738 01:38:20,76 --> 01:38:25,80 the bill the way you have it now to to indicate that fishing is itself. A crime. 739 01:38:25,80 --> 01:38:31,50 The language that set forth in the bill is adequate to capture. 740 01:38:31,50 --> 01:38:37,05 Those types of scams with the suggestions that we've set forth there today. 741 01:38:37,05 --> 01:38:39,02 Several people have mentioned whether 742 01:38:39,02 --> 01:38:45,03 or not just putting a cookie on somebody's computer where you can extract 743 01:38:45,03 --> 01:38:51,81 information without so-called damaging the computer is 744 01:38:51,81 --> 01:38:54,55 that is that not trespassing or some crime 745 01:38:54,55 --> 01:38:58,98 and authorize placing. 746 01:38:58,98 --> 01:39:03,04 One of those cookies in somebodies computer so that you can get information 747 01:39:03,04 --> 01:39:09,75 and that's some kind of crime. Well. 748 01:39:09,75 --> 01:39:15,11 We What I'd like to do is is is is go back and 749 01:39:15,11 --> 01:39:18,77 and get back to committee on that question. Certainly. 750 01:39:18,77 --> 01:39:22,78 It sounds like a variation of a bot net the way you asked the question 751 01:39:22,78 --> 01:39:27,50 but depending on the way you analyze the statute in the various elements of the 752 01:39:27,50 --> 01:39:33,54 statutes. It's the intent of the of the person who puts it. There is significant. 753 01:39:33,54 --> 01:39:40,48 Is the have heard the suggestion 754 01:39:40,48 --> 01:39:43,14 that you ought to be a crime if you do it to ten computers. 755 01:39:43,14 --> 01:39:45,54 That's any reason why if you do it to one computer why 756 01:39:45,54 --> 01:39:51,11 that also should not be a crime. Well it may very well be a crime. 757 01:39:51,11 --> 01:39:55,57 With in. Under various state statutes. 758 01:39:55,57 --> 01:39:59,92 What we are attempting to do is bring more crimes within the perp. 759 01:40:00,00 --> 01:40:04,15 The federal statute not less will be working together on on 760 01:40:04,15 --> 01:40:06,65 that gentleman from Texas. 761 01:40:06,65 --> 01:40:12,01 Things chairman and again thank you your testimony and appreciate your patience. 762 01:40:12,01 --> 01:40:19,12 Just so I'm clear on the S.A.'s position which tone. 763 01:40:19,12 --> 01:40:20,22 Does B.S.A. 764 01:40:20,22 --> 01:40:21,55 Support a new federal law 765 01:40:21,55 --> 01:40:27,83 that would require businesses to report to notify consumers every time a security 766 01:40:27,83 --> 01:40:30,48 breach occurs. 767 01:40:30,48 --> 01:40:37,45 As Chairman we support the concept of a comprehensive federal data breach bill 768 01:40:37,45 --> 01:40:43,24 that would address the issue of businesses notifying consumers 769 01:40:43,24 --> 01:40:47,19 when there is a significant harm major breach that occurs. 770 01:40:47,19 --> 01:40:50,69 But but my question was not whether we should have a comprehensive bill 771 01:40:50,69 --> 01:40:52,44 that addresses that 772 01:40:52,44 --> 01:40:58,52 but whether you support actually requiring businesses to notify consumers 773 01:40:58,52 --> 01:41:02,98 when the breach is a car but we support. 774 01:41:02,98 --> 01:41:05,64 Notification to consumers. 775 01:41:05,64 --> 01:41:11,74 Under a properly crap the definition of what is significant breaches with other key 776 01:41:11,74 --> 01:41:16,09 components for example one of my colleagues on the panel spoke of the information 777 01:41:16,09 --> 01:41:21,21 is encrypted or red jacket or otherwise stored in a fashion so 778 01:41:21,21 --> 01:41:24,25 that it's not accessible when it's breached. 779 01:41:24,25 --> 01:41:25,77 There shouldn't be a notice we also believe 780 01:41:25,77 --> 01:41:30,38 that there are a number of other important provisions in an overall data security 781 01:41:30,38 --> 01:41:31,35 bill that 782 01:41:31,35 --> 01:41:36,44 that is simply one element of a number of provisions we'd like to say OK Thank you. 783 01:41:36,44 --> 01:41:42,77 And Ms Knapp you're coming forward. Apparently. 784 01:41:42,77 --> 01:41:48,02 We may not even know how many people have actually meant adversely harmed as you 785 01:41:48,02 --> 01:41:49,34 have and you. 786 01:41:49,34 --> 01:41:50,60 You mentioned 787 01:41:50,60 --> 01:41:57,39 that the perpetrator against you was going to have a 788 01:41:57,39 --> 01:42:02,38 record was clean after a year and a half of. Treatment parents. 789 01:42:02,38 --> 01:42:08,71 Let me ask you know there's been laws like in Texas where people have become so 790 01:42:08,71 --> 01:42:11,22 outraged about. 791 01:42:11,22 --> 01:42:12,88 Driving while intoxicated 792 01:42:12,88 --> 01:42:16,91 or driving under the influence been with your State College that. 793 01:42:16,91 --> 01:42:22,44 Are negligent infliction of harm. 794 01:42:22,44 --> 01:42:24,42 Through driving while intoxicated 795 01:42:24,42 --> 01:42:29,50 and people became outraged enough they said let's have a lot. 796 01:42:29,50 --> 01:42:32,36 No more deferred adjudication this is serious enough 797 01:42:32,36 --> 01:42:35,95 that if you commit this then it ought to be on your record for good 798 01:42:35,95 --> 01:42:42,28 and you can't come out from under it. Are you bringing that up or you actually. 799 01:42:42,28 --> 01:42:43,35 Are ging that way 800 01:42:43,35 --> 01:42:48,96 and the possibility at least in the federal realm as far as we can fart 801 01:42:48,96 --> 01:42:53,98 adjudication where. It has to be on someone's record. 802 01:42:53,98 --> 01:42:58,41 I was just referring to my case as it stands 803 01:42:58,41 --> 01:43:00,97 and what is happening to me 804 01:43:00,97 --> 01:43:04,38 but I'm asking you are adversely affected what do you think. 805 01:43:04,38 --> 01:43:10,25 I personally don't think you know something like this. 806 01:43:10,25 --> 01:43:15,06 I think it has to do with identity theft victims in general a lot of times in the 807 01:43:15,06 --> 01:43:20,12 judicial system where we are not seen as a victim of a crime a lot of times 808 01:43:20,12 --> 01:43:23,68 and in my case I don't believe that I was seen as a victim 809 01:43:23,68 --> 01:43:29,62 when the judge at the plea hearing he felt like a restitution hearing one being 810 01:43:29,62 --> 01:43:35,43 needed because how could I possibly have any type of out of pocket costs 811 01:43:35,43 --> 01:43:37,46 and so that you know 812 01:43:37,46 --> 01:43:42,63 that comment to me says I don't see you. 813 01:43:42,63 --> 01:43:47,13 And well obviously the judge didn't understand the crime right. 814 01:43:47,13 --> 01:43:53,03 But it seems to me that as we contemplate this crime 815 01:43:53,03 --> 01:43:58,23 and what is a crime that brings to mind. 816 01:43:58,23 --> 01:43:59,91 Some of the lessons we learned in the last. 817 01:44:00,00 --> 01:44:04,29 Cool about crimes of moral turpitude and. 818 01:44:04,29 --> 01:44:09,39 In society we think those are more serious crimes because they involved a means 819 01:44:09,39 --> 01:44:14,09 rather involved intent Michel are you brought in to in a number of times. 820 01:44:14,09 --> 01:44:16,48 Well a lot depends on the intent. 821 01:44:16,48 --> 01:44:18,88 Well it seems to me that this ought to be one of those crimes 822 01:44:18,88 --> 01:44:25,11 that if you break into somebody's computer if you get their private information 823 01:44:25,11 --> 01:44:31,52 then regardless of what the intent is you know the rights ipsa loquitur out a 824 01:44:31,52 --> 01:44:33,73 basically a black thing speaks for itself. 825 01:44:33,73 --> 01:44:38,93 You know you have the intent and take that intentional aspect out of the proof 826 01:44:38,93 --> 01:44:44,50 that you have to put on. So. I mean think about it involves lying. 827 01:44:44,50 --> 01:44:49,09 It involves fraud involves staffed in some cases like one recently a week 828 01:44:49,09 --> 01:44:52,29 or so ago it involved bar glory Reichian 829 01:44:52,29 --> 01:44:57,87 and put stuff on a computer so you could track what they were doing so I think this 830 01:44:57,87 --> 01:44:59,26 hearing is a great thing 831 01:44:59,26 --> 01:45:05,76 and I do think we need to make this bill as tough as possible so 832 01:45:05,76 --> 01:45:11,06 that America understands how serious the crime is now would just like to ask Ms 833 01:45:11,06 --> 01:45:17,08 Knapp you recommended requiring mandatory notification when dad is breached. 834 01:45:17,08 --> 01:45:19,62 But let me just ask. 835 01:45:19,62 --> 01:45:25,10 Who among the witnesses actually read this bill that we're about here today. 836 01:45:25,10 --> 01:45:28,02 Anybody. Wow all of you. 837 01:45:28,02 --> 01:45:31,17 Well same red lights only with your indulgence 838 01:45:31,17 --> 01:45:35,14 and Chairman I'd like to just asked specifically. 839 01:45:35,14 --> 01:45:39,70 If you could quickly say if you have any specific provisions 840 01:45:39,70 --> 01:45:42,99 that you would like to see changed so we could make note of them 841 01:45:42,99 --> 01:45:47,55 and try to improve the legislation. Mr Lowery starting with you. 842 01:45:47,55 --> 01:45:52,23 And if you've got a good long list there then I'd like the list because we're 843 01:45:52,23 --> 01:45:55,26 looking for ways to make it better and that's what they are and for. 844 01:45:55,26 --> 01:45:59,85 Thank you Congressman. Our recommendation and request would. 845 01:46:00,00 --> 01:46:05,82 To modify section ten thirty eight five regarding damage to computers as we spoke 846 01:46:05,82 --> 01:46:09,14 about before to add language 847 01:46:09,14 --> 01:46:13,02 that would make it a felony if the conduct affected ten or more computers 848 01:46:13,02 --> 01:46:18,47 and also to make it a misdemeanor for damage under five thousand dollars anywhere 849 01:46:18,47 --> 01:46:23,60 between zero and five thousand dollars. We would recommend. 850 01:46:23,60 --> 01:46:27,43 Modifications to Sections ten twenty eight and ten twenty eight. 851 01:46:27,43 --> 01:46:30,80 To define persons to include corporations. 852 01:46:30,80 --> 01:46:31,30 So 853 01:46:31,30 --> 01:46:36,65 that the stealing of the identity of a corporation often used in phishing schemes would 854 01:46:36,65 --> 01:46:39,37 also be a crime under ten twenty eight. 855 01:46:39,37 --> 01:46:43,05 We would also add certain crimes to the less 856 01:46:43,05 --> 01:46:47,28 that would be predicates for the aggravated felony under ten twenty eight 857 01:46:47,28 --> 01:46:50,59 and we provided those papers. 858 01:46:50,59 --> 01:46:57,32 We would ask for a modification to ten thirty eight seven which is the 859 01:46:57,32 --> 01:47:04,29 extortion statute. To enable that statute to reach. 860 01:47:04,29 --> 01:47:05,96 Threats to do. 861 01:47:05,96 --> 01:47:09,24 To release for example to release information 862 01:47:09,24 --> 01:47:14,73 that had already been stolen the way that the statue distracted now. 863 01:47:14,73 --> 01:47:16,48 It covers threats to do damage 864 01:47:16,48 --> 01:47:21,85 but not necessarily threats related to damage already done so we believe the 865 01:47:21,85 --> 01:47:24,83 statute needs a little bit of tweaking there. 866 01:47:24,83 --> 01:47:29,21 We have some suggestions for the for prisoner section. 867 01:47:29,21 --> 01:47:31,58 To include real property 868 01:47:31,58 --> 01:47:38,13 and to change the language in one of the prongs from proceeds to gross proceeds. 869 01:47:38,13 --> 01:47:42,33 And finally and perhaps most significantly. 870 01:47:42,33 --> 01:47:45,97 We request changes or. 871 01:47:45,97 --> 01:47:51,17 Directives to the Sentencing Commission to focus not just on sentences in general 872 01:47:51,17 --> 01:47:54,51 but certain specific which would include. 873 01:47:54,51 --> 01:47:59,59 Defining a victim as not just somebody who suffers monetary loss but. 874 01:48:00,00 --> 01:48:04,40 Who suffers an invasion of privacy and that relates to some of the topics 875 01:48:04,40 --> 01:48:06,93 that have already been discussed at this hearing today. 876 01:48:06,93 --> 01:48:12,31 And in any event it is hard to value. Information stolen. 877 01:48:12,31 --> 01:48:15,83 We finally with respect to the Sentencing Commission. 878 01:48:15,83 --> 01:48:20,43 Would request that they be directed to. Look into. 879 01:48:20,43 --> 01:48:26,29 The aggravating factors that are already there or the enhancements 880 01:48:26,29 --> 01:48:27,29 that are already in the statute 881 01:48:27,29 --> 01:48:33,55 that they be accumulated instead of now applying whether they're the greatest of 882 01:48:33,55 --> 01:48:36,63 is a language that's that's now used. 883 01:48:36,63 --> 01:48:39,35 We would also suggest an enhancement 884 01:48:39,35 --> 01:48:44,43 that the Sentencing Commission look at whether it should be an enhancement for 885 01:48:44,43 --> 01:48:48,94 disclosure of information stolen because it is a separate harm 886 01:48:48,94 --> 01:48:51,85 and in some senses maybe even more significant harm. 887 01:48:51,85 --> 01:48:56,17 Once information is stolen to disclose it. Depending on how many people. 888 01:48:56,17 --> 01:49:00,80 It's disclosed to. So thank you for that I thank you. 889 01:49:00,80 --> 01:49:03,59 And we've got more not or exceed my time 890 01:49:03,59 --> 01:49:09,08 that much if I could ask the witnesses to if you could submit in writing any 891 01:49:09,08 --> 01:49:12,52 suggestions you have for changes to the legislation 892 01:49:12,52 --> 01:49:14,09 that would be greatly appreciated. 893 01:49:14,09 --> 01:49:15,73 And that would include all of you 894 01:49:15,73 --> 01:49:19,82 and including Mr Lowery if you think of anything else but thank you so much. 895 01:49:19,82 --> 01:49:23,80 Thank you. The gentleman from North Carolina. 896 01:49:23,80 --> 01:49:27,56 Thank you as chairman It has been said. We appreciate you all being here. 897 01:49:27,56 --> 01:49:32,15 Mr Tolman I responded to Mr gomers question. 898 01:49:32,15 --> 01:49:37,54 Regarding notifying consumers under a properly crafted statute. 899 01:49:37,54 --> 01:49:41,42 Would you also require support the requirement 900 01:49:41,42 --> 01:49:46,65 that business notify law enforcement the next. 901 01:49:46,65 --> 01:49:49,93 Mr Koppel I appreciate your follow up question on 902 01:49:49,93 --> 01:49:56,32 that I think the yes the answer is we would support the requirement 903 01:49:56,32 --> 01:49:59,93 that businesses notify law enforcement when there is a. 904 01:50:00,00 --> 01:50:04,68 Breach and I think there's probably greater clarity in terms of our support for 905 01:50:04,68 --> 01:50:09,37 that. Again it's with the cabbie odds 906 01:50:09,37 --> 01:50:14,41 that it needs to define what a significant breach is it needs to ensure 907 01:50:14,41 --> 01:50:19,66 that there's not notification if it is unnecessary and we believe that 908 01:50:19,66 --> 01:50:22,78 but the principle we think is worthwhile. 909 01:50:22,78 --> 01:50:27,39 We would hope that that is addressed how are part of a comprehensive data breach. 910 01:50:27,39 --> 01:50:31,49 Thank you sir Mr Winston What steps does the F.T.C. 911 01:50:31,49 --> 01:50:32,63 Take to make sure 912 01:50:32,63 --> 01:50:39,42 that businesses adequately protect personal information from identity theft. 913 01:50:39,42 --> 01:50:43,95 And. We go about this in several ways. 914 01:50:43,95 --> 01:50:48,88 Beginning with law enforcement as I mentioned in my testimony we've brought fifteen 915 01:50:48,88 --> 01:50:51,79 law enforcement cases now against companies 916 01:50:51,79 --> 01:50:57,50 that failed to reasonably protect consumer data in most cases leading to a data 917 01:50:57,50 --> 01:51:01,91 breach. And in addition to law enforcement. 918 01:51:01,91 --> 01:51:05,91 We also do a lot of consumer business education and outreach. 919 01:51:05,91 --> 01:51:09,05 We've published educational materials. 920 01:51:09,05 --> 01:51:13,56 We're going to be holding regional seminars for for businesses so 921 01:51:13,56 --> 01:51:15,63 that they understand what their obligations are 922 01:51:15,63 --> 01:51:19,57 and the understand what the consequences are if they don't meet their obligations. 923 01:51:19,57 --> 01:51:26,21 Thank you for our laws list was didn't require a protection approach to learn from 924 01:51:26,21 --> 01:51:30,84 a should limited to certain industries are certain sectors taken by king 925 01:51:30,84 --> 01:51:36,38 or of the financial financial industries. Yes that's correct. 926 01:51:36,38 --> 01:51:41,23 There are a number of data security laws that apply to different kinds of data 927 01:51:41,23 --> 01:51:43,12 or different kinds of industries. 928 01:51:43,12 --> 01:51:48,39 The financial services industry is one the health care industry is another as part 929 01:51:48,39 --> 01:51:49,18 of the. 930 01:51:49,18 --> 01:51:54,15 Identity theft task force recommendations we have supported a national data security 931 01:51:54,15 --> 01:51:59,93 law that would apply across the board to any business that maintains personal info. 932 01:52:00,74 --> 01:52:02,52 We think that there should be one rule. 933 01:52:02,52 --> 01:52:12,79 Thank you Ms Knapp how can we improve restitution for identity. 934 01:52:12,79 --> 01:52:15,27 Thank you sir for that question. 935 01:52:15,27 --> 01:52:22,06 I think what you're doing with allowing victims to 936 01:52:22,06 --> 01:52:25,59 count their time is very important I think this is the first time 937 01:52:25,59 --> 01:52:27,30 that we have actually seen some of 938 01:52:27,30 --> 01:52:34,30 that because time is so much of what we deal with no fortune never 939 01:52:34,30 --> 01:52:38,63 how does one. 940 01:52:38,63 --> 01:52:45,47 Possibly for one's credit record after having. 941 01:52:45,47 --> 01:52:50,91 That one problem. 942 01:52:50,91 --> 01:52:57,29 In my opinion it is difficult. There are barriers in and. 943 01:52:57,29 --> 01:53:00,76 Things in each person's victim is a sion is different 944 01:53:00,76 --> 01:53:06,85 but the journey is not an easy one. 945 01:53:06,85 --> 01:53:09,32 Thank you note. 946 01:53:09,32 --> 01:53:16,73 For the red line that's very kind gentleman from California. 947 01:53:16,73 --> 01:53:19,99 Mr Long. 948 01:53:19,99 --> 01:53:23,76 Thank you very much Mr Chairman I don't know whether the ranking member needed more 949 01:53:23,76 --> 01:53:30,47 time for his questions. So that's between you and the ranking member. 950 01:53:30,47 --> 01:53:34,62 Thank you for yielding. 951 01:53:34,62 --> 01:53:41,37 Think. 952 01:53:41,37 --> 01:53:43,60 The representative of. 953 01:53:43,60 --> 01:53:45,21 The Justice Department 954 01:53:45,21 --> 01:53:51,94 and also the gentleman representing. 955 01:53:51,94 --> 01:53:53,68 I'm concerned about. 956 01:53:53,68 --> 01:53:59,36 This whole area particularly identity theft and. 957 01:54:00,00 --> 01:54:03,39 We enact legislation I would like to ensure that it actually works. 958 01:54:03,39 --> 01:54:10,13 And one of the things that strikes me on the bill that we have before us is that. 959 01:54:10,13 --> 01:54:14,77 It acts a little differently than some other laws that I'm aware of which is 960 01:54:14,77 --> 01:54:17,50 that when. 961 01:54:17,50 --> 01:54:23,22 The Congress preempt state law it then gives the state A.G.'s 962 01:54:23,22 --> 01:54:29,39 the authority to assist in the enforcement of federal statutes this bill is drafted 963 01:54:29,39 --> 01:54:30,49 as I understand it. 964 01:54:30,49 --> 01:54:34,41 Allows that but does no preemption at all is 965 01:54:34,41 --> 01:54:37,34 that unusual in the law in your experience or is that something 966 01:54:37,34 --> 01:54:38,80 that we see somewhere else. 967 01:54:38,80 --> 01:54:43,78 With respect to our experience I'd be happy to get back to the Committee on another 968 01:54:43,78 --> 01:54:45,82 areas where we've seen this I will note 969 01:54:45,82 --> 01:54:52,36 that in the task force strategic report which is co-chaired by the department 970 01:54:52,36 --> 01:54:57,37 they did recommend that type of preemption. 971 01:54:57,37 --> 01:55:00,37 My concern is. 972 01:55:00,37 --> 01:55:05,82 We are creating a lot of criminalization of activity on a federal level 973 01:55:05,82 --> 01:55:10,19 and yet I wonder whether we have the resources to follow through with it truly 974 01:55:10,19 --> 01:55:17,19 and therefore is this really an attempt to create a federal statute of 975 01:55:17,19 --> 01:55:18,51 criminal sanctions 976 01:55:18,51 --> 01:55:23,04 but with the expectation it will truly be enforced by the states and the feds 977 01:55:23,04 --> 01:55:25,93 and if we're going to do that we ought to know about that 978 01:55:25,93 --> 01:55:28,73 but it seems to me a little different than we've done before and maybe I'm wrong. 979 01:55:28,73 --> 01:55:31,13 Maybe there are other areas of the law and the gentleman from the F.T.C. 980 01:55:31,13 --> 01:55:32,75 Can help me on this. 981 01:55:32,75 --> 01:55:38,96 Mr Laurie said the identity theft task force in some of its recommendations 982 01:55:38,96 --> 01:55:43,96 particularly with regard to look I understand they may have suggested I'm asking is 983 01:55:43,96 --> 01:55:45,31 this a precedent or is this something 984 01:55:45,31 --> 01:55:49,93 that we found another is a law that's what I'm trying to a number of laws 985 01:55:49,93 --> 01:55:54,34 that provide for federal preemption but allow for state attorney general 986 01:55:54,34 --> 01:55:59,86 and Forstmann the Fair Credit Reporting Act as one so that model is. 987 01:56:00,00 --> 01:56:04,17 I think it's not uncommon but where we have no preemption here. 988 01:56:04,17 --> 01:56:05,84 But still extending that. 989 01:56:05,84 --> 01:56:06,75 Well 990 01:56:06,75 --> 01:56:10,63 that I'm not sure about I know there are that's not so I'm trying to figure out if 991 01:56:10,63 --> 01:56:14,89 you could help me in in looking at that and submitting that for the record. 992 01:56:14,89 --> 01:56:17,69 Title two of the legislation. 993 01:56:17,69 --> 01:56:26,92 Authorizes a civil action with. 994 01:56:26,92 --> 01:56:29,14 Civil penalties up to five hundred thousand dollars 995 01:56:29,14 --> 01:56:33,38 or million dollars if it's intentional from any business entity. 996 01:56:33,38 --> 01:56:36,87 Says from any business entity that engages in conduct 997 01:56:36,87 --> 01:56:41,18 that constitute a violation of federal law relating to data security. 998 01:56:41,18 --> 01:56:44,31 If you had a chance to look at the bill. 999 01:56:44,31 --> 01:56:49,82 Do you think that limits it to for profit entities only Or would that be. 1000 01:56:49,82 --> 01:56:50,99 Not for profit as well. 1001 01:56:50,99 --> 01:56:55,48 How would you look at it from the Justice Department standpoint. 1002 01:56:55,48 --> 01:57:02,03 And here is a member of the criminal division so I did not scrub the civil sections 1003 01:57:02,03 --> 01:57:04,65 of the bill but we'd be happy to review that and get back to you 1004 01:57:04,65 --> 01:57:08,67 and opinions about whether or not it would cover both those types of entities. 1005 01:57:08,67 --> 01:57:13,43 I'm trying to sort of figure out where we are here because I want to statute 1006 01:57:13,43 --> 01:57:16,41 that works but I also want one that doesn't just sit on the books 1007 01:57:16,41 --> 01:57:20,57 and we think it's going to work or frankly if we pass federal laws 1008 01:57:20,57 --> 01:57:24,86 that are primarily be enforced by federal authorities to me that's extremely 1009 01:57:24,86 --> 01:57:31,13 important. But it's more difficult for us to have oversight. 1010 01:57:31,13 --> 01:57:36,95 If what we're doing is passing federal laws that are going to be absolutely if not. 1011 01:57:36,95 --> 01:57:43,18 Exclusively are primarily if not exclusively prosecuted at the state level 1012 01:57:43,18 --> 01:57:49,18 and I wonder if there are implications with respect to kind of social authority in 1013 01:57:49,18 --> 01:57:52,41 that. 1014 01:57:52,41 --> 01:57:55,18 The way I read the bill 1015 01:57:55,18 --> 01:57:59,50 and I would ask if this seems to make sense because we can certainly change it 1016 01:57:59,50 --> 01:58:06,00 looks. Like it provides an across the board maximum penalty of twenty years. 1017 01:58:06,00 --> 01:58:11,10 For all violations of Section ten thirty of Title eighteen. 1018 01:58:11,10 --> 01:58:14,87 Now unless I missed something that could be interpreted as meaning 1019 01:58:14,87 --> 01:58:20,98 that failure to notify breaches. Would carry a harsher penalty for the businesses. 1020 01:58:20,98 --> 01:58:25,60 Than for the ID. The eaves themselves. 1021 01:58:25,60 --> 01:58:30,59 To me that doesn't sound like a proper priority. 1022 01:58:30,59 --> 01:58:36,96 Would you agree with that or is that something that you think makes sense. 1023 01:58:36,96 --> 01:58:41,07 I believe the way the bill was was drafted. 1024 01:58:41,07 --> 01:58:49,08 It provides for a five year penalty maximum penalty for the failure to notify. 1025 01:58:49,08 --> 01:58:49,84 So. 1026 01:58:49,84 --> 01:58:54,73 So your answer is that's what you would want rather than the way I thought it was 1027 01:58:54,73 --> 01:58:59,35 written. I have a lot more questions but I would like to respect my time limits 1028 01:58:59,35 --> 01:59:00,81 and I would yield back. 1029 01:59:00,81 --> 01:59:07,73 That's a novel concept of the subcommittee but I thank you gentleman from Ohio. 1030 01:59:07,73 --> 01:59:14,08 I thank the chairman for yielding Mr Holman news reports indicate 1031 01:59:14,08 --> 01:59:15,48 that crimes committed. 1032 01:59:15,48 --> 01:59:18,90 Computers are becoming increasingly prevalent 1033 01:59:18,90 --> 01:59:23,11 and I know that's what we've been discussing today with as many as ten million 1034 01:59:23,11 --> 01:59:27,34 computers falling victim to hackers. F.B.I. 1035 01:59:27,34 --> 01:59:29,30 Director Muller is quoted as saying 1036 01:59:29,30 --> 01:59:35,13 that quote bot nets are the weapon of choice for cyber criminals unquote. 1037 01:59:35,13 --> 01:59:39,52 How urgent is it that we pass cyber crime legislation 1038 01:59:39,52 --> 01:59:46,01 and can we afford to wait on cyber crime legislation while we address other 1039 01:59:46,01 --> 01:59:49,74 problems with Internet security. 1040 01:59:49,74 --> 01:59:54,03 Thanks for the question I think that it is imperative 1041 01:59:54,03 --> 01:59:59,16 and urgent to pass cyber crime legislation. I think there is broad agreement. 1042 02:00:00,00 --> 02:00:01,21 In both houses of Congress 1043 02:00:01,21 --> 02:00:07,88 and across the aisle in terms of what loopholes need to be closed your question is 1044 02:00:07,88 --> 02:00:13,36 correct that the growth and bot nets is enormous problem and 1045 02:00:13,36 --> 02:00:18,92 that is bringing law abiding citizens unwittingly into the process in which their 1046 02:00:18,92 --> 02:00:22,64 computers are being hijacked and used to perpetrate crime. 1047 02:00:22,64 --> 02:00:24,98 It may slow down their computer. 1048 02:00:24,98 --> 02:00:28,13 It may be a nuisance for them but they don't really know what's happening 1049 02:00:28,13 --> 02:00:32,85 and we should not require that law enforcement be required to show 1050 02:00:32,85 --> 02:00:36,39 that there is five thousand dollars with a damage to take action 1051 02:00:36,39 --> 02:00:39,80 that case so we believe the problems of media it's growing. 1052 02:00:39,80 --> 02:00:43,42 There is a solution and we hope the Congress moves quickly on this. Thank you. 1053 02:00:43,42 --> 02:00:47,27 And our legislative efforts enough. 1054 02:00:47,27 --> 02:00:49,28 And what can consumers 1055 02:00:49,28 --> 02:00:56,22 and businesses do to protect themselves to minimize the threat of cyber crime 1056 02:00:56,22 --> 02:01:02,91 legislation is a key part but it's not by itself the sole solution. 1057 02:01:02,91 --> 02:01:08,00 There are public awareness activities that are underway through the F.T.C. 1058 02:01:08,00 --> 02:01:13,47 and Other agencies to build awareness of this there are private sector efforts 1059 02:01:13,47 --> 02:01:16,25 that provide checklists to business owners. 1060 02:01:16,25 --> 02:01:20,43 What type of security products they need to deploy and security procedures 1061 02:01:20,43 --> 02:01:24,92 and finally there are joint partnerships between industry 1062 02:01:24,92 --> 02:01:30,58 and law enforcement the national cyber forensic training Alliance in Pittsburgh is 1063 02:01:30,58 --> 02:01:32,17 just such an organization B.S.A. 1064 02:01:32,17 --> 02:01:37,89 Supports that as do many in industry they collect data on cyber crime share 1065 02:01:37,89 --> 02:01:39,19 that information with law enforcement 1066 02:01:39,19 --> 02:01:44,67 and assist in helping with the prosecution so it takes a combined effort of which 1067 02:01:44,67 --> 02:01:49,00 legislation is only one component but it's an essential component. 1068 02:01:49,00 --> 02:01:52,67 Thank you very much in this chairman as my colleague from North Carolina did I 1069 02:01:52,67 --> 02:01:57,11 would be happy to go back in the interest of the rest of the bank 1070 02:01:57,11 --> 02:01:59,73 that could be divided between the gentleman from Texas and the gentleman from. 1071 02:02:00,00 --> 02:02:06,40 Foreign air but I think I'll just go back grow refer you generally from Texas. 1072 02:02:06,40 --> 02:02:10,06 Thank you very much Mr Chairman let me thank you Mr Conyers 1073 02:02:10,06 --> 02:02:16,47 and the other co-sponsors for moving forward on what will continue to grow to be 1074 02:02:16,47 --> 02:02:22,35 maybe in some minds an insurmountable problem as we become more technological 1075 02:02:22,35 --> 02:02:28,36 and the FISC a sheen of the technology that we use becomes more finite certainly. 1076 02:02:28,36 --> 02:02:32,30 And more broadly utilized it seems that privacy. 1077 02:02:32,30 --> 02:02:37,45 In the midst of innovation is a stepchild and I think 1078 02:02:37,45 --> 02:02:43,19 that the Congress has a duty to ensure as the Ninth Amendment. 1079 02:02:43,19 --> 02:02:46,42 Instructed us to do to not forget privacy 1080 02:02:46,42 --> 02:02:50,18 but also the abuse of too much information identities have 1081 02:02:50,18 --> 02:02:55,36 and otherwise with the good comes the bad with benefit comes the burden. 1082 02:02:55,36 --> 02:03:00,86 So this will go on as it relates to the potential crime that may come about. 1083 02:03:00,86 --> 02:03:05,35 Through the misuse of this technology cybersecurity. 1084 02:03:05,35 --> 02:03:09,34 My question would be the ability and the need. 1085 02:03:09,34 --> 02:03:14,88 If you will to ensure coordination between all levels of law enforcement. 1086 02:03:14,88 --> 02:03:18,39 Even if you're speaking of for example in Houston Texas. 1087 02:03:18,39 --> 02:03:22,64 What we call a layered police force. 1088 02:03:22,64 --> 02:03:23,96 We have a constable 1089 02:03:23,96 --> 02:03:27,55 that has a jurisdiction maybe of seven hundred fifty thousand eight hundred 1090 02:03:27,55 --> 02:03:28,78 thousand. 1091 02:03:28,78 --> 02:03:29,85 Are those are individuals 1092 02:03:29,85 --> 02:03:33,26 that are closer to the constituents they are the ones who do the vixen work 1093 02:03:33,26 --> 02:03:37,80 and otherwise. But again they are right there on the ground 1094 02:03:37,80 --> 02:03:44,68 and we have sheriffs we have police officers of course we have. The F.B.I. 1095 02:03:44,68 --> 02:03:46,14 and Of course the U.S. Secret Service 1096 02:03:46,14 --> 02:03:49,21 and just a number of layers so I'd be interested in 1097 02:03:49,21 --> 02:03:56,17 that I'd be interested from his county and welcome to get an established for us. 1098 02:03:56,17 --> 02:03:59,95 How significant a problem is this whole issue of the invade. 1099 02:04:00,00 --> 02:04:01,91 About privacy how give us. 1100 02:04:01,91 --> 02:04:04,59 If you will the broadness of the problem 1101 02:04:04,59 --> 02:04:07,58 and the depth of the problem if you will 1102 02:04:07,58 --> 02:04:13,09 and I have another question let me yield to Mr Magara. Thank you very much. 1103 02:04:13,09 --> 02:04:16,35 We partner very well with state 1104 02:04:16,35 --> 02:04:19,50 and local law enforcement as well as federal agencies 1105 02:04:19,50 --> 02:04:23,28 and we realize the importance of sharing information on different cases 1106 02:04:23,28 --> 02:04:25,00 that we are working. 1107 02:04:25,00 --> 02:04:28,99 Quite frankly cross the country we have twenty nine different financial crimes task 1108 02:04:28,99 --> 02:04:29,57 forces 1109 02:04:29,57 --> 02:04:33,93 and twenty four electronic crime task forces those task forces are built on sharing 1110 02:04:33,93 --> 02:04:38,18 information not only with law enforcement with private sector as well as the 1111 02:04:38,18 --> 02:04:43,04 academic community. I feel the sharing of the information that we have and we do. 1112 02:04:43,04 --> 02:04:47,26 Addresses those concerns that you have very well. 1113 02:04:47,26 --> 02:04:49,04 And 1114 02:04:49,04 --> 02:04:53,93 and in let me just expand a little bit more you in constant communication with local 1115 02:04:53,93 --> 02:04:56,29 law enforcement. Maybe I missed it. 1116 02:04:56,29 --> 02:04:58,81 Are there task forces that are addressing this question. 1117 02:04:58,81 --> 02:05:02,70 Yes on all of our task forces Financial Crimes Task Force. 1118 02:05:02,70 --> 02:05:04,73 Well as electronic task forces. 1119 02:05:04,73 --> 02:05:09,31 State and local law enforcement are key partners in those task forces so 1120 02:05:09,31 --> 02:05:12,79 that information is disseminated through them to back to their department so 1121 02:05:12,79 --> 02:05:18,76 that we're coordinating our efforts to address identity theft. 1122 02:05:18,76 --> 02:05:20,28 MISKELLY. 1123 02:05:20,28 --> 02:05:26,12 Thank you Congresswoman Jackson Lee this is probably the most significant part of 1124 02:05:26,12 --> 02:05:29,95 why data breach is even being considered by this committee. 1125 02:05:29,95 --> 02:05:36,75 Millions of records of individuals online are available through electronic transfer. 1126 02:05:36,75 --> 02:05:41,41 The question is whether it is the victim's responsibility 1127 02:05:41,41 --> 02:05:46,57 or whether it is the data Holder's responsibility to manage control of 1128 02:05:46,57 --> 02:05:50,39 that information that remember victims are in damage control mode. 1129 02:05:50,39 --> 02:05:54,59 They have no idea that they've been attacked until they get notice 1130 02:05:54,59 --> 02:05:59,72 when they get notice they can react. Unfortunately notices usually. 1131 02:06:00,00 --> 02:06:03,65 Coming because I've gotten they gotten some communication through the mail of 1132 02:06:03,65 --> 02:06:07,24 gotten hand looked at their credit report and that's when they know 1133 02:06:07,24 --> 02:06:09,77 that someone has appropriated their identity 1134 02:06:09,77 --> 02:06:15,78 and literally stolen in their name it takes hundreds of hours sometimes just to 1135 02:06:15,78 --> 02:06:18,86 correct that information and the mental and divide and the stress 1136 02:06:18,86 --> 02:06:19,43 that comes with 1137 02:06:19,43 --> 02:06:24,99 that it's very difficult for people who has not been victimized to even understand. 1138 02:06:24,99 --> 02:06:27,44 Those who are and possession of the data. 1139 02:06:27,44 --> 02:06:30,33 Have an obligation a moral obligation 1140 02:06:30,33 --> 02:06:34,34 and it should be a legal obligation to inform people 1141 02:06:34,34 --> 02:06:39,11 when these things occur at the jurisdiction of this committee limits what you can 1142 02:06:39,11 --> 02:06:40,30 do in that regard. 1143 02:06:40,30 --> 02:06:45,63 You can hold data owner data managers because the data owners are really the people 1144 02:06:45,63 --> 02:06:47,62 whose information they're call the control 1145 02:06:47,62 --> 02:06:51,48 and make them responsible reporting to a government agency 1146 02:06:51,48 --> 02:06:56,13 that agency in turn will port through the Federal Register list of those entities 1147 02:06:56,13 --> 02:06:58,48 who have had their data compromised. 1148 02:06:58,48 --> 02:07:01,92 I think this is a reasonable approach the numbers of it. 1149 02:07:01,92 --> 02:07:07,73 Victims two hundred sixteen million Americans have been impacted by the loss of 1150 02:07:07,73 --> 02:07:10,88 data. It's appropriate and definitely is 1151 02:07:10,88 --> 02:07:13,54 that in this legislation what you've just recommended. 1152 02:07:13,54 --> 02:07:18,12 Yes it is a part that requires those entities that suspect 1153 02:07:18,12 --> 02:07:22,89 that their data has been compromised must report to the Secret Service the 1154 02:07:22,89 --> 02:07:23,72 compromised 1155 02:07:23,72 --> 02:07:27,21 and the Secret Service in turn once a year were published in the Federal Register 1156 02:07:27,21 --> 02:07:30,00 list of those entities Thank you Mr Chairman let me just comment 1157 02:07:30,00 --> 02:07:33,90 and to highlight section one zero two 1158 02:07:33,90 --> 02:07:39,71 that provides criminal penalties for those who don't provide the notice of the 1159 02:07:39,71 --> 02:07:44,20 security breach. And finally might I say what we don't have yet. 1160 02:07:44,20 --> 02:07:49,34 Which we expect to have in the next couple of years is electronic reporting of 1161 02:07:49,34 --> 02:07:50,53 medical records. 1162 02:07:50,53 --> 02:07:51,50 Once we add 1163 02:07:51,50 --> 02:07:55,47 that large component required to the system bring all medical facilities 1164 02:07:55,47 --> 02:07:59,64 and physicians online. We have an Enhanced Opportunity for. 1165 02:08:00,29 --> 02:08:02,79 And so I hope this legislation will move through this committee 1166 02:08:02,79 --> 02:08:05,81 and move to the floor and have the president's signature I yield back. 1167 02:08:05,81 --> 02:08:06,92 Thank you 1168 02:08:06,92 --> 02:08:11,16 and I want to thank all of our witnesses for their testimony members may have 1169 02:08:11,16 --> 02:08:16,44 additional questions to ask and if so I will submit those to you in writing 1170 02:08:16,44 --> 02:08:21,64 and would appreciate if you could respond as soon as possible so the. 1171 02:08:21,64 --> 02:08:25,79 Answers can be part of the record without objection the hearing record will remain 1172 02:08:25,79 --> 02:08:30,89 open for one week for the submission of additional materials the chairman of the 1173 02:08:30,89 --> 02:08:35,82 commercial and Administrative Law Subcommittee has offered a statement. 1174 02:08:35,82 --> 02:08:37,44 She has reminded us 1175 02:08:37,44 --> 02:08:42,19 that the sum of the parts of the bill come under the jurisdiction of her 1176 02:08:42,19 --> 02:08:45,13 subcommittee as well as most of it in this subcommittee 1177 02:08:45,13 --> 02:08:52,76 and so she has an interest in this legislation without a gentleman from Texas. 1178 02:08:52,76 --> 02:08:57,40 Thank you Mr Chairman I was made aware that there may have been a study 1179 02:08:57,40 --> 02:09:03,68 that actually. Deals with how often businesses notify. 1180 02:09:03,68 --> 02:09:09,98 Consumers of the breach or loss of data and is that right. 1181 02:09:09,98 --> 02:09:14,66 Mr Lowry. It's not a it's not a government study but there has been a study done. 1182 02:09:14,66 --> 02:09:18,94 Could you direct us to that information to follow. 1183 02:09:18,94 --> 02:09:23,95 Yes I will provide that information and does that study indicate how often. 1184 02:09:23,95 --> 02:09:28,38 Criminal activity takes place after a breach. 1185 02:09:28,38 --> 02:09:33,52 I don't I don't know if it does the ONLY the only thing I know about the study is 1186 02:09:33,52 --> 02:09:34,54 is that. 1187 02:09:34,54 --> 02:09:36,97 And again this is not a government study 1188 02:09:36,97 --> 02:09:41,77 that we cannot say with any degree of certainty whether it's accurate. 1189 02:09:41,77 --> 02:09:44,87 But the only thing I know about the study as I sit here 1190 02:09:44,87 --> 02:09:47,70 and will provide to you is that. 1191 02:09:47,70 --> 02:09:48,74 They asked 1192 02:09:48,74 --> 02:09:54,77 that approximately thirty percent of breaches are reported by victims. 1193 02:09:54,77 --> 02:09:59,38 Thank you for that objection Committee stands adjourned.